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Abstract. We develop local reasoning techniques for message passing concurrent programs based 
on ideas from separation logics and resource usage analysis. We extend processes with permission- 
resources and define a reduction semantics for this extended language. This provides a foundation 
for interpreting separation formulas for message-passing concurrency. We also define a sound proof 
system permitting us to infer satisfaction compositionally using local, separation-based reasoning. 



Reasoning about concurrent programs is widely acknowledged to be a difficult business due to the 
intricate interferences between threads scheduled non-deterministically and to the intrinsic difficulty 
of scaling reasoning techniques to account for these. The use of local reasoning techniques in the 
guise of separation logic IT331 l28ll represents a promising advance for this area. Here, the state of 
resources acted upon by threads are reasoned about independently, where possible. This approach 
has spawned numerous papers Q IH El QT] Q21 |29l [10l targetting the shared- variable concurrency 
model. 

An alternative, albeit slightly higher-level, model of concurrency is that of message-passing 
whereby the only shared resources allowed are the message-passing channels themselves. Access 
to these shared resources is controlled by the message-passing programming interface and so inter- 
fering behaviour is more explicit and therefore can be tracked more readily. This paradigm has been 
extensively studied using process calculi ET1 l26l l27l [341 but has also been efficiently implemented 
and deployed in more programming oriented settings |[T6ll3"2"l l3"1. 

In this paper we develop a local reasoning proof system for message-passing concurrent pro- 
grams, based on ideas from both concurrent separation logics [ 28 ] and permission-based resource 
analyses (6) 0. Our initial step towards the broader and ambitious goal of local reasoning for 
message-passing systems focusses on the study of confluent value-passing programs, a class large 
enough to present a significant theoretical challenge while still being of considerable practical in- 
terest. 

1998 ACM Subject Classification: F.3.1, F.3.2, F.3.3. 
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Our approach to using processes as a model for separation-based Hoare-style reasoning centers 
around the conceptual partitioning of message-passing programs into 'program state', i.e., the values 
emitted on asynchronous outputs, and 'program code', i.e., the remaining parallel processes acting 
on this state. For instance, one way to view the program 

ci!4 || c 2 !2 || ci?xc 2 ?j.if x = ythen (al(x,y,x+x)\\d\) else (c 2 Kx,y,x+y)\\d\) (1.1) 

would be to consider the asynchronous outputs 

ci!4||c 2 !2 (1.2) 

as the 'state', holding values 4 and 2 at 'addresses' c\ and c 2 and the process 

ci?x.c2?y. if jc = ythen (c\\{x,x+x)\\d\) else (c 2 !(x,j, x+y)\\d\) (1.3) 

as the 'code', or state transformer, consuming the values on channels c\ and c 2 and producing a new 
state holding the previous values consumed from c\ and c 2 together with their summation on either 
of the previously used channels c\ and c 2 , depending on whether these values were equal or not, 
and signals on channel d. Using such an analogy, we can decompose our analysis and reason about 
sub-programs independently. We can interpret assertions over processes such as 

ci<4)*c 2 <2> (1.4) 

This assertion, a conjunction, describes a process reducing to a 'soup' of two asynchronous outputs 
on channels c\ and c 2 , holding values 4 and 2, respectively; the process in (11.21 ) would satisfy 
this assertion. This state-based process view also permits an intuitive formulation of Hoare-style 
sequents of the form 

{ci<4)*c 2 <2>} {c 2 <4, 2,6) *</<>} (1.5) 

Such a sequent describes a process that, once composed with the state described by the precondition 
c\ (4) * c 2 (2), reduces to some other stable state described by the postcondition c 2 (4, 2, 6) * d{), with 
values 4, 2, 6 on channel c 2 and an empty tuple on channel d acting as a signal, indicating that 
the data on channel c 2 can now be accessed; the process in (11.31 ) would satisfy this sequent. In 
compositional fashion, we can then determine that the entire program of dl.ll ) reduces to a stable 
state satisfying c 2 (4, 2, 6) * d() from separate analyses relating to the two sub-programs. 

This state-based logical view of processes lends itself well to the specification of deterministic 
computation whose operation can be decomposed into asynchronous parallel subcomponents. Ap- 
plication examples range from parallel processing of data, [23 ], to distributed agreement problems, 
ll25l . State-based specifications would allow a more natural expression of the expected behaviour 
of these algorithms because they are agnostic wrt. the specific temporal order of the generation 
and consumption of this state. For instance, as opposed to temporal logics such as OBI , the for- 
mula (11.41 ) does not specify whether the sub-state c\{4) is to be produced before c 2 (2) or vice- versa. 
Dually, sequents such as (11.51) do not necessarily specify if and how this data on channels is to be 
consumed. The temporal agnosticism in 'spatial' specifications is also more amenable to intuitive 
decompositions and composition of analysis; we can verify that a process P satisfies the formula 
(11.41) from sub-processes making up P that satisfy cy(4) and c 2 (2). 

The state-based logical process view is also appealing because the specifications of the algo- 
rithms we are considering are also, in some sense, more data-centric rather than control-centric and 
focus more on the relationships between data at the beginning and the end of computation. One 
can in fact view the sequent in (11.51 ) as a description on how the data on channels c\ and c 2 in the 
precondition changes to the data on c 2 in the postcondition; the dependencies between such data 
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will be made more explicit later on once we introduce value variables. Finally, data-centric applica- 
tions such as in-place sorting also tend to reuse data-placeholders during computation, possibly at 
different types and formats e.g., the code in (11.31) . in order to minimise resource usage. Correctness 
specifications such as the sequent in (11.51 ) handle this aspect rather naturally as opposed to tradi- 
tional correctness analysis for message passing programs, such as type systems in (4j[36l, which 
often limit channel usage to one form of data. 

A central assumption underlying our process interpretations is the absence of program inter- 
ference and the deterministic reduction of processes. In a message-passing paradigm, program 
interference is caused by races for values, through multiple outputs or inputs competing for shared 
channels. In cases such as (11.11 ) above, where channels are reused, rudimentary analysis based on 
the free names of processes e.g., HI are too coarse for adequate race detection. Moreover, these 
type based safety analyses e.g., HJ [36l tend to avoid reasoning about data, approximating control 
over branching as a result. 

To reason about such interferences in the presence of channel reuse, we define a resource- 
semantics for processes, based on linear input and output permissions. Every process is embellished 
with a set of permissions, \P~\ p , denoting that process P 'owns' the permissions in set p (cf. owner- 
ship hypothesis, f2M ). The resource-semantics limits communication to the permissions owned by a 
process. Thus, for example, for the following reduction to occur 

rcil41plirci7x.Pl,, f p fl 4 /*»l pU(J (1-6) 

the output process, c\\A, (resp. the input process, c\lx.P), must have the permission to output 
(resp. to input) on channel c\ in its permission-set p (resp. u.). Since permissions are not part 
of the original process semantics (they are only added in the resource-semantics to aid reasoning) 
the above enriched reduction also describes the implicit transfer of permissions p from the output 
process, ci!4, to the input process, ci?x.P, i.e., adding p to the already owned permissions u., as a 
result of their synchronisation (cf. ownership transfer |[28l ). 



{c 1 <4>*c 2 <2» 



c\tx.C2 } .y. if x - y then c\ \(x, x+x)\\d\ 

else c 2 \(x,y,x+y)\\d\ 



{c 2 <4,2,6W<)} (1-7) 

The earlier sequent (11.51 ) can now be stated in terms of the process of (11.31 ) confined by the 
permissions J,ci,|c2 and Id, as shown in (I1.7I ). Note how channel reuse manifests itself through 
the fact that our permission-confined process in (11.71 ) does not own the output permissions fci 
and fc2, even though they are clearly used in this code. These however will be obtained from the 
precondition; from a permission perspective, the inputs on channels ci and c 2 act as guards, masking 
the use of the permissions fci and fc 2 - 

Making ownership explicit also simplifies the detection of races in the model and provides an 
immediate notion of process separation in terms of owned permissions. For instance, in (11.61 ) we 
determine that there are no races across the two processes [ ci !4 l p and \c\lx.P 1 „ without having to 
analyse the actual structure of the respective confined processes c\ 14 and cflx.P ; instead we simply 
check that their permission sets are disjoint i.e., p n \i = (cf. separation property ll28l ). This 
assumed disjunction of permissions will also play a major role in the semantic definition of d 1 -7b , 
as it allows us to give a separation interpretation to our sequents. 

r /^\ /-im o r, / if x - vthenci!(x, x+x)||c?! \ . ,,„,.. ,,,, ON 
{ci<4>*c 2 <2>}ci?xc 2 ?y. e \se Ux,y,x + y)\\d\ U^(4,2,6) * d()} (1.8) 
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Another pleasing property of this embellishment is that, in the absence of races, this resource- 
semantics corresponds to the standard (permission-less) reduction semantics. Thus the permission 
semantics can be used as a narrative to support reasoning about confluent reductions of processes. 
This therefore means that we can abstract over the existence of such a narrative in our sequents and 
express (11.71 ) simply as the permission-less sequent in (I1.8I ). thereby returning to our original aim 
and obtaining Hoare-triple specifications in terms of processes. 

We define a sound proof system for the aforementioned logic and resource-confined processes 
with judgements of the form: 

The environment, T, associates channels with ownership transfer invariants of permissions, and 5 
denotes a system of processes confined by permissions. These sequents depart slightly from pre- 
vious work on concurrent separation logic 11281 . as value-domain assertions - assertions interpreted 
exclusively in terms of the domain of values communicated and thus independent of the process 
structure, S - are extracted from the pre and post-conditions, cp and \\r, and consolidated as a boolean 
expression, b. Correctness proofs in this proof system weave together two inter-dependent mecha- 
nisms. On the one hand, they verify, in sequential fashion, the satisfaction of the post-condition \|/ 
for system S , assuming the precondition cp; the soundness of this sequential analysis stems from the 
non-interference properties guaranteed by the resource semantics of S . On the other hand, sequents 
construct race-free systems S , using assumptions from the environment, T, and the pre-condition, 
cp. 

We have already argued for the naturality of our specifications wrt. deterministic message- 
passing programs and how our analysis can handle more refined branching control analysis, even 
when this is data dependent as in (11.11) . Another, perhaps even more crucial advantage of our 
approach over existing analysis techniques for message-passing concurrency (e.g., GUI |2l [131) is 
locality of reasoning. By concentrating on deterministic code, our reasoning need not take into ac- 
count the different interleaving of concurrent code executing in context; this facilitates substantially 
proof compositionality and induces a lightweight sequential form of analysis. Explicit permission 
ownership simplifies interference delineation, even in the presence of channel reuse; such delin- 
eation is a major obstacle when defining manageable compositional proof rules (e.g., ifTBl ). 

The paper is structured as follows. We introduce our language in Section[2] In Section|3]we de- 
fine a resource-semantics for permission-confined processes and state its key properties. We define 
our assertion logic and interpret it using a separation model over confined processes in Section [4] 
In Section [5] we present our proof system and declare its soundness whereas in Section [6] we apply 
this system to prove properties about message-passing programs. Finally, in Section [7] we make 
concluding remarks regarding related and future work. 

2. Language 

Our language, an asynchronous value-passing CCS, is described in Figured] and consists of three 
syntactic categories. Values, v, u € Values, are numerals denoting integers. Side-effect free expres- 
sions, e, denote integer operations that may contain variables x, y e Vars. We assume an evaluation 
function from closed expressions to values, e]\v. We also assume a denumerable set of channel 
names c, d e Names and process names K e PNames and denote lists of values, variables and 
channels as v, x and c respectively. 
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Values, Expressions, Boolean Expressions and Processes 

v,u : := | 1 | . . . e::=v\x\e + e\ e — e b : :— e < e \ ->b \ bAb 

P,Q::= c\e | clx.P | if b then P else Q \ K(e)[c/d] | nil | P\\Q | (new c)P 

Structural Equivalence Rules 

sCom P\\Q = Q || P sAss P||(fi||P) = (P\\Q)\\R 

sNew (newc)nil = nil sSwp (newc)(newof)P = (newt/)(newc)P 

sNil P || nil = P sExt P||(newc)g = (newc)(P||0 ifc£fn(P) 

Reduction Rules 

b^tt bllff 
rThn rEls- 



if b then P else Q — >P if b then P else g — >g 

ej|v K(i) = P eliv 
rCom rPrc 



c\e || c?f.P — > Pf'/xBFM 

p > p' p > p' P = P' — > Q! = Q 

rRes rPar rStr- 



(new c)P — > (new c)P' P II 2 — > P' II Q P — > Q 



Figure 1: Processes, Structural Equivalence and Reduction 

2.1. Syntax. The main syntactic category is that of processes which can asynchronously send the 
evaluation of expressions on a channefl c\e, receive values on a channel, clx.P, and branch on 
the evaluation of boolean expressions, if b then P else Q. Processes may assume a number of 
parameterised (possibly recursive) process definitions, K(x) = P; these can be invoked by the call 
K(e)[c/d\, instantiating the process variables x with the evaluation of e and renaming the names d to 
c. Finally, processes may also be inactive, nil, execute in parallel, P \\ Q, and can restrict the scope 
of channels to subsets of processes, (new c)P. 

2.2. Reduction Semantics. The rules for the judgement P — > Q in Figure Q] describe the dynam- 
ics of closed processes i.e., processes whose message variables .rare all bound by input constructs 
c?jc._, and process names are all defined. Closed boolean expressions, i.e., boolean formulas with- 
out free variables, have a classical interpretation over the boolean domain {tt, if], characterised by 
the two judgements b\\,tt and b]\,ff. Although this is entirely standard, we explicitly stated here in 
Definition [2J] due to its central role in subsequent development (cf. Section [5]>. 

Definition 2.1 (Boolean Condition Interpretation). 

„ I tt if eiJJ.vi, e 2 l\.v 2 and vi < v 2 , „ | tt if b^ff 

ft if e i JJ. v i , e 2 $v 2 and v 2 < v\ if if b\),tt 



biAb 2 ^, 



tt if bitytt and fc 2 ^tt 

if if (biW and b 2 \\tf) or (b^tt and bM or (b^ff and bM 



Our language does not allow channel names to be communicated, as in the piCalculus [ 27ll34| . 
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A number of shorthand conventions are used. We write c! for c\e and c?.P for clx.P when \e\ = 
(resp. \x\ = 0). We elide arguments and renaming from process calls, resp. K[c / d\ and K(e), 
whenever these are empty lists. We also write e\ = e 2 for (e\ < e 2 ) A(^2 < e\), e\ < ei for 
->(e2 ^ ^i), true for < 1, false for 1 < 0, b\ v& 2 for A-1&2) and £>i => i> 2 for v& 2 . 

Finally, we use the shorthand eJJv for the evaluation of lists of expressions e\§,v\ . . . e n \\,v n whenever 
e = e\ . . . e n and v = v\ . . .v n . 

Substitutions, cr e Sub, are total maps from variables to values, Vars — > Values, and are used 
to define the semantics of rules rCom and rPrc They are finitely denoted as [j v 7*IL meaning that 
every Xi e x is mapped to its respective v,- € v, while abstracting over all the other variable mappings 
in the substitution. In the case of rPrc only, we abuse this notation to express the renaming of d to 
c. In Section [5] we abuse again this notation to describe substitutions from variables to expressions, 
{| e /x|). Our semantics assumes the following property of expression evaluations, which will be useful 
later in Section [5] 

Assumption 2.2. <?ifj v MJJ-Vi and eJJv implies ei{| e /?|)U.vi 

A brief note on some conventions used. To improve readability we have attempted to minimise 
the use of universal and existential quantifiers in our statements. Thus, unless explicitly stated, 
free variables introduced to the left of an implication are to be understood as universally quantified, 
whereas free variables introduced to the right of an implications are understood as existentially 
quantified. 

As is standard in process calculi presentations |[27l[34l . the definition of the reduction semantics 
is kept compact through the rule rStr and the use of process structural equivalence rules, P = Q, 
defined also in Figure [j] Later on, this structural equivalence will play a role in abstracting away 
from the precise structure of processes when describing the satisfaction of our logic (cf. Section H]). 

2.3. Process Determinism. The reduction semantics of Figured] induces the following definitions 
relating to stability, evaluation and determinism, where — >* denotes the reflexive transitive closure 
of 

Definition 2.3 (Stability). P~h "= $Q- P — > Q 

Definition 2.4 (Evaluation). P\IQ d = 3Q'. P — >* Q' and Q' and Q = Q 

Our definition of process determinism, Definition 12.61 differs from that given in 1261 in that it 
requires convergence, P \X cf. Definition 12.51 We also define divergence, as the dual of conver- 
gence in standard fashion, in order to describe the existence of an infinite reduction path. Defining 
determinism in terms of convergence carries other advantages apart from the obvious relevance of 
termination in resource-aware settings of computation; it arguably allows for a more intuitive def- 
inition of determinism in terms of the comparison of the stable processes evaluated to (the second 
clause in Definition I2.6I ). Moreover, it fits well with our running theme of a state-based view of 
processes. 

Definition 2.5 (Convergence and Divergence). H is the least predicate over processes satisfying the 
conditions: 

P H = p-l^ or (VQ. P — » Q implies Q H) 
Divergence, P ft, denotes the inverse, P JiX. 
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Definition 2.6 (Determinism). P is deterministic iff: 

(1) PU 

(2) P^Qi and P\IQ 2 implies Qi = Qi 

Concurrent code is notoriously hard to analyse. One major source of complication is the po- 
tential non-deterministic behaviour of this code, which impacts the ability to tractably define man- 
ageable compositional proof rules {e.g., lfl3l ) . More precisely, generic non-deterministic code 
requires one to take into account the various interleaving of concurrent code executing in its context 
potentially affecting its execution. 

Although message passing concurrency minimises this interference to well defined interfaces, 
problems persist due to races on shared channels. Channel reuse together with the lack of an explicit 
account of resource usage makes interference hard to delineate. 

Example 2.7. The (composite) process Prg takes two inputs x\, x 2 on channels c\, c 2 respectively. 
It discards x 2 and, if x\ is less than 10, outputs the value x\ itself together with its double on c\ 
while using c 4 as a signal. Otherwise, it uses c 4 to output x\ by itself . 

Prg = (new c 3 ) (Fltr\\Dbl) 

DM — C 2 ?X 2 .C 3 ?X 4 .Ci !(x 4 + X 4 ) 

Fitr = ci?xi.if xi <9then c 3 !xi || ci?^ 3 . (ci!(xi,x 3 ) || c 4 !) else c 4 !xi 

Internally, Prg is composed of two sub-processes, Fltr and Dbl, sharing a scoped channel, c 3 . Pro- 
cess Fltr filters whether x\ is less than 10 and forwards the value to process Dbl on channel c 3 
which, in turn, reuses channel c\ to return the doubled value. 

The process Prg trivially converges as it is stable. When placed in the context of race-free 
outputs such as c\ \v\ \\c2\v2, Prg still converges and evaluates deterministically to 

Pfg||ci !vi ||c 2 !v 2 U- c 4 ! || c\ \{v\, 2 x vi) whenvi<9and; 
Prg||ci!vi ||c 2 !v 2 jj. c 4 !vi || (newc 3 )(c 3 ?x 4 .ci!(x 4 +x 4 )) whenvi>9 

On the other hand, races on, for example, channel c\ make Prg behave non-deterministicaUy . For 
instance, when placed in the context of two outputs on c\, such as c\ !1 1| C2 !v2 Iki !3, we have a race 
for the processing of Prg yeilding two possible outcomes; 

Prg||c 1 !l||c 2 !v 2 ||c 1 !3 U c A \ \\ Cl !(l,2) || Cl !3 or; 

Prg || Cl !l \\c2\v2 Ik! !3 U c 4 !||c 1 !(3,6)||c 1 !l 

More subtly, Prg \\c\W \\ c 2 !v2 || c\ !3 may also behave in unexpected ways, since we have a second 
race condition when channel cy is reused internally in Prg, i.e., when Dbl sends back its answer to 
Fltr on c\, thereby obtaining 

Prg || Cl !l||c 2 !v 2 ||ci!3 JJ c 4 ! || a !(1, 3) || c x 12 or; 

Prg || c x !1 1| C2\v 2 II cj!3 Jj c 4 ! || Cl !(3,2) || Cl !6 

When placed in the context of two outputs on c\ with values that are less than 10 and also values 
that are bigger or equal to 10, such as c\\ \ ||c 2 !v 2 ||ci!10, non-deterministic behaviour varies even 
more widely in structure. In fact we can have: 

Pfg||ci!l||c 2 !v 2 ||ci!10 U c 4 !||ci!(l,2)||c 1 !10 or; 
PrgUcillllc^lldllO U c 4 !10||(newc 3 )(c 3 ?x 4 . Cl !(x 4 +x 4 ))||ci!l 
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Dually, when Prg is placed in the context of ci!l || ci\vi || c\tx.\\\\, which introduces another input 
competing for the output on c\, we have even more non-deterministic behaviour. We can have: 

Pi^ll ci!l||c 2 !v 2 ||ci?x.nil 4 c 4 !||c 1 !(l,2)||c 1 ?xnil or; 

Prg|| c\\\ ||c 2 !v 2 ||ci?x.nil JJ, (newc 3 )(F]tr||c3?X4.c 1 !(x4+x 4 )) oreven; 

Prg||ci!l||c 2 !v 2 ||ci?x.nil H ci?jc 3 .(ci!(1,jc 3 )||c 4 !) 

In practice, a substantial body of concurrent code is expected to behave deterministically under some 
form of non-interference assumptions. One example is the in-place quicksort algorithm, which can 
be encoded in our language as shown in Example 12.81 In this example, determinism is even harder 
to ascertain because, apart from channel reuse, the code is also recursively defined. This gives 
us scope for developing refined analysis techniques for deterministic code which lend themselves 
better to compositionality. 

Example 2.8 (In-Place Quicksort). The process definition Qck(i, j) defines a quicksort algorithm, 
sorting arrays of values in-place and signalling on channel r once sorting completes. Arrays of 

integers a - [v\ v„] are represented as a set of messages a\ \v\ || . . . || a n \v n on an indexed set 

of channels a\ . . . a„0 When arrays are of length 1, Qck(i,i) signals immediately on channel r. 
Otherwise, it chooses the value at the lowest index, a;!v,-, as the pivot, partitions the array, and then 
calls quicksort recursively on the two partitions, renaming the returning signal to a fresh channel 
name in each case. Once the two sub-sortings signal back, the process can signal back on r. 



Qck(i,j) = 



if i = j then r 



else (newr 3 ) 



Prt(i,j)[^/r] 

|| r 3 ?i.(newri,r 2 ) 



( Qck(i,x-l)[n/ r ] 
|| Qck(x+l,j)[ r 2/r] 
| ri?.r2?.r! 



At the heart of quicksort is Prt(i, j), which partitions an array into two sub-arrays separated by a 
pivot cell, a p \v p , and signals completion by outputting the partition index as a value, r\p. After 
partitioning completes, the values in the first sub-array (i.e., indexes less than p) are less than v p and 
the values of the second sub-array (i.e., indexes greater than p) are bigger or equal to v p . Partitioning 
calls the array traversal process Trv(l, h, x, p, c), initialising the pivot value x to v,-, the pivot index p 
to i, the counter index c to /+ 1 and low and high array boundaries I, h to i and j respectively. 

Prt(i, j) = ap.x. Trv(i, j, x, i, i+ 1) 

Traversal loops through the indexes i + 1 up to h, (6) then (1), comparing their values with the pivot 
value, (2). If the current value is greater or equal to x, in-place partitioning restores the cell and 
increments the counter, (3). Otherwise, it increments the pivot index to p+ 1, swaps the current 
value with the value at the new pivot index, and proceeds to the next index, (4). Since reads are 
destructive in value passing concurrency, swapping occurs only when the two indexes are distinct, 
(5). Once traversal exceeds the highest index of the array, (6), the pivot value at the lowest index / 
is swapped with the value at the current pivot index p and the pivot index is returned as the return 



9 

Since our language can branch on integer values, channel indexing can be encoded. 
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value r\p, (7); again swapping is avoided if these two indexes are the same. 



Trv(l, h, x, p, c) 



(6) 



(7) 



if c > h then if l-p then (ai\x\\r\p) else a p !y.(ai\y\\a p \x\\r\p} 

(2) (3) 



(1) 

else a c ly. 



if x < y then a c \y || Trv(/, h, x,p,c+l) 

(4) 



else 



(5) 



if c-p+\ then (a c \y \\ Trv(l, h,x,p+ 1, c+ 1)) 
a c !z||a p+ i!y|| 
Trv(/,/!,x,p+l,c+l) y 



else a p+ \>z. 



We note that the splitting of the array during recursive calls in Qck(i, j) in Example 12.81 is data 
dependent, based on the pivot value returned after a call to Prt{i, j). This fact complicates confluence 
analysis through static techniques such as type systems for resource usage (e.g., (4l [36)). To be 
able to deal with the refined analysis required for this example, we define a resource-semantics 
for our processes in Section [3l which does not approximate over data dependent branching. This 
extended semantics then serves as a model for a resource-aware separation logic for processes, given 
in Section |4] In Section [5] we then define a compositional proof system for verifying properties in 
this logic. 



3. Resourcing for Processes 

We define a reduction semantics for our programs by confining their behaviour through linear per- 
missions for channel input and output. This confined-process semantics helps us to reason about 
deterministic behaviour of processes and lays the foundation for the semantics of the logic to be 
presented in Section HI In particular, it (1) gives us a basis for process separation, in terms of the 
permissions owned by processes, (2) assists race detection, and (3) acts as a narrative as to why a 
process is deterministic. 



3.1. Systems. We start by defining permission sets. These are used as logical embellishments to 
readily track channel usage and detect race conditions through conflicting permission usage. 

def 

Definition 3.1 (Permissions). The set of permissions is Perm - {J,, f} x Names, where J,c (resp. Tc) 
represents the permission to input (resp. output) on channel c. A permission-set, ranged over by the 
variables p, \i, is a subset of permissions, p c Perm. 

Permissions are linear in the sense that there is at most one output permission and one input 
permission per channel. This is not to be confused with linear (resp. afhne) assumptions irTTI or 
types If24ll . which restrict channel usage to exactly (resp. at most) once. In our case, permissions are 
not consumed once used, but are instead transferred around and reused. Thus, instead of restricting 
the number of uses of a particular channel, they ensure that, at any stage during computation, there 
is at most one processes that can output (resp. input) on a particular channel. 

Figure [2] defines the syntax and semantics of systems of confined processes, S,T,R € Sys, 
whereby processes, P, are confined by permission sets, p, and denoted as 17*1 p - Systems can also be 
composed in parallel and their channels can also be scoped. 
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Confined Processes (Systems) 

S,T,R ::=\P-\ P \ S || T | (newc)S 

Permission Violation Detection Rules 



eOut eIn- 



\c!?\ p ^ aT \c7t.P] 



p en 

iS * en - S >eiT T = S >err 
ePar ekes eStr 

S || r — » CT (new c)S ^ OT r — > M 

Structural Equivalence Rules 

scCom S\\T = T\\S scAss 5||(r||/?) = (S||r)||fl 

scNew (newc)rnill = [~nin scSwp (new c)(new d)S = (new c/)(new c)S 

scNil 5||rnill = S scExt 5||(newc)r = (newc) (S || T) ifc^fn(5) 

Reduction Rules 

blitt b^ff 
cThn cEls- 



pf then P else ei p — > |T~I P Pf & then P else gl p — > \Q\ 

eUv* Tc e p |c € (.1 K(f) = P gtyj 

cCom cPrc- 



S— >S' „ S— >S" S=S' S'—^T' T' = T 
cRes cPar cStr 



(newa)5 — >(newa)S' 5 ||T — > S' \\T 



cSpl cLcl- 



r^ii qw — » m P ii rev renew C )pi p — » (ne WC ) rpi 



Uc, Tc} n p + c £ fn(P) p * 

cTgh cDsc- 



(newc) (fPl p || S) — > fPlpMicM II (newc)S fnillp — » fnille 



Figure 2: A Permission-Confined CCS 

Confinement allows us to define separation across systems, 5 ± T on the basis of the (visible) 
permissions owned by a system, Definition 13.21 In what follows, we assume systems of confined 
processes to always be well-resourced, meaning that all confined parallel processes are separate, 
i.e., there is no overlap across owned permission sets, and that permissions are linear. System 
well-resourcing, denoted h S , is formalised in Definition 13 .41 It can be easily checked statically by 
induction on the structure of systems. 
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Definition 3.2 ((Visibly) Owned Permissions). 

(p itS = \P] p 

prm(S ) d = ■ prm(r) U prm(R) if S = T \\R 

prm(r) \ He, |c} if S = (new c)T 

def 

Definition 3.3 (Separation). S _L T - prm(S) n prm(r) = 

Definition 3.4 (Well-Resourced System). A system S is well-resourced, denote as I- S , if it is in- 
cluded in the least set denned by the following three rules. 

h S \-T S ±T \-S 
wPrc wPar wRes- 



i-rPlp \-S\\T h(newc)5 

Process confinement also facilitates the detection of races, which leads to non-deterministic be- 
haviour in the process semantics of Section [2J The judgement S — > e rr> defined by the rules in 
Figure 12 describes the detection of permission violations. As we shall see later on in Section 133 
and Section 13.41 the absence of permission violations also implies the absence of channel commu- 
nication races. 

The reduction rules in Figure [2] enforce proper permission usage. Rule cCom imposes addi- 
tional restrictions to rCom of Figure [D the output process (resp. the input process) is required to 
own the permission to output, fc (resp. input, ic) on channel c. Confined processes cannot arbi- 
trarily create permissions but need to transfer them to other processes at specific interaction points 
(i.e., communication through cCom). The new rules cSpl and cLcl enforce this resourcing of per- 
missions: cSpl requires that newly spawned processes partition the parent permissions amongst 
them whereas cLcl ensures that scoped names generate a single pair of input-output permissions for 
every channel. Note that cSpl is inherently non-deterministic as it does not specify how the permis- 
sions are partitioned amongst the parallel processes: cf. Section [331 for a discussion of this. Rules 
cThn, cEls, cPrc, cRes, cPar and cStr in Figure [2] are analogous to those in Figure Q] Structural 
equivalence extends to systems directly with fn i as the parallel composition identity. 

The rule cDsc allows systems to discard permissions whenever it is clear that they will not be 
used anymore, whereas cTgh is a convenient rule that allows us to tighten name scoping irrespective 
of permissions; together with cStr and scNil and scNew it allows us to discard redundant scoping 
of channels as computation progresses (cf. Example [333] for an example on how this rule is used.) 
These last two rules are not essential for determining whether a process is deterministic but help de- 
clutter extraneous permissions. This enables us to express eventual stable systems more succinctly 
which, in turn, permits simpler definitions for assertion satisfaction later on in Section [4] 



3.2. Dynamic Properties of Systems. Reductions preserve locality. This means that the permis- 
sions owned by a process provide a footprint for its reductions and that any process it reduces to will 
be confined to these permissions. This property is key for compositional reasoning when ensuring 
that global properties, such as that of being well-resourced, are preserved. For instance, if the sys- 
tem S || T is well-resourced, then by Definition 13 .4l it must be the case that the two sub systems are 
separate i.e., 5 ± T. If S — > 5', locality i.e., prm(S') c prm(S) immediately implies that S' ± T 
and therefore, that the global system S' || T is still well-resourced. Thus reduction also preserves 
well-resourcing. 

Lemma 3.5 (Locality). 5 — >T implies prm(T) c prm(S ) 
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Lemma 3.6 (Resourcing). h S and S — > T implies h T 

(Proof for Lemma \3.6\ & Lemma \3.5\) . The proof is by rule induction on S — > T. The main cases 
are: 

cCom: S = \c\e\ p || \clx.P\ T = \Pflx\\ u where e = v. It is immediate that prm(5) = prm(r). 
Moreover, h T by wPrc. 

cPar: We have S = Ri \\ R 2 , T = R\ || R 2 and Ri — > R[. Moreover, h S implies prm^O n 
prm(R 2 ) - 0, I- R\ and h R 2 . Also recall that prm(S) = prm(7?i) U prm(ft 2 ) and that prm(J) = 
prm^) Uprm(7?2) 

By h /?i — > /?j and I.H. we obtain h R\ and prmf/^) c prm(/?i). By, prm^'j) c 
prm(/?i) and prm(/?i) n prm(R 2 ) - we deduce prm^p n prm(R 2 ) = and by h R' { and h R 2 
we deduce h T. Moreover, by prm(/?j) c prm(7?i) we obtain prm(J) c prm(,S). 

cSpl: 5 - r^lieipa^ and T = \P~\ p \\ \Q\. p l±) \i implies prm(rPl p ) n ^rm(\Q\) = and since 
h T^lp and h [Q]^ (by wPrc), we get h T. Moreover prm(J) = prmC^). 

cDsc: S = Tnillp and T = {nW^. Trivially, h T (by wPrc) and prm(T) = c prm(5). □ 

Another important property of our resource semantics is that reductions do not hide prior per- 
mission violations i.e., permission violations are preserved by reductions. This allows us to ignore 
intermediary steps during the evaluation of a confined process (cf. Definition 13.81 ) and simply in- 
spect the resulting stable system to determine whether that evaluation resulted in any permission 
violations. In what follows, we shall refer to evaluations without permission violations as safe. 

Lemma 3.7 (Violation Preservation). S — >* T and S — > err implies T — > err 

Proof. First we show S — > T and S — > err implies T — > e n- by rule induction on 5 — > T. The 
main cases are: 

cCom: S = \c\e\ p \\ [c?£.P] where \c e p and |c e \i. By case analysis, if S — > e rr then either 
\c\e] p — > err because |c £ p (by eOut) or [c?x.P]^ because ic £ u. (by eIn); both cases lead to a 
contradiction. 

cPar: S = Ri \\R 2 , T = R\ \\R 2 and /?i — > R[. By S = Ri \\R 2 , ePar, eStr and scCom we know 
S — >err because either: 

Ri — By R\ — > R' { and I.H. R^ — > err and by T = R' { \\R 2 and ePar we get T — > err . 

R 2 — > err : By T = Z?j \\R 2 , ePar, eStr and scCom we obtain T — > err . 
The second part of the proof is by induction on the number n of reductions used i.e., 5 — >" T. □ 

3.3. System Determinism. The first two main results of our resource semantics establish that sys- 
tem evaluation is deterministic up-to the terminal permissions owned (cf. Theorem l3.11l and Theo- 
rem[3ll2]>. 

We first lay the ground for these results by giving the following definitions. Systems evaluation 
in Definition [331 S \},T, is limited to safe-stability, TY, and excludes reductions to racy systems. The 
operation | - | denotes a permission-erasure function whereby \S \ returns the process in S stripped 
of all its confining permissions; it allows us to express equivalence up-to owned permissions in 
Theorem 13.111 System Convergence, Definition 13.101 is the least set of systems that converge to a 
stable state (but not necessarily a safe one) and is used for Theorem 13 .121 
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Definition 3.8 (Safe-Stability and Evaluation). 

def 

S •/ = S -/-> and S -/-> e rr 

S&T = 3T'. S ^* T and TV and T = T 

Definition 3.9 (Permission Confinement Erasure). 

(P if5 = TPlp 

\S\ = |r| || \R\ if 5 =T\\R 

(newc) |r| if S = (new c)T 

Definition 3.10 (System Convergence). JJ, is the least predicate over systems satisfying the equation 

S H= S-h or (Vr. S — » T implies T j|) 



In conformance with Definition 12.61 by system determinism we understand that (1) no system can 
evaluate to two distinct safely-stable systems, up-to owned permissions i.e., Theorem [3JJ] and that 
(2) no system can evaluate to a safely-stable system and, at the same time, diverge along a different 
execution path i.e., Theorem 13 .121 

Theorem 3.11 (Evaluation Determinism). S§T\ andS\\J2 implies \T\\ = mi 

Theorem 3.12 (System Evaluation implies System Convergence). S]\. implies S H 

These properties follow, at an intuitive level, from the partial-confluence property, as stated in 
Lemma 13.131 

Lemma 3.13 (Partial Confluence). S — > T\ and S — > n implies either of the following: 

(1) m| = m| or; 

(2) 3n. n — > n and n — > n 

However, the full technical details of the proofs for Theorem 13. 11 l and Theorem 13 .121 are more 
delicate; on first reading, the reader may skip them and progress to Section [3~4l Before though, we 
highlight Proposition 13.141 which establishes sufficient and necessary conditions on the structure 
of safely-stable systems; these conditions will then act as a guiding principle when formulating 
our logic formulas. In essence, safely stable systems consist of mismatching asynchronous outputs 
and input-blocked processes composed in parallel, each owning the respective output and input 
permissions so as not to generate an error. 

Proposition 3.14 (Safe-Stability and System Structure). 

S y iff S=(nwJj(||- o rc,!*n ft lljof^;^ 

where 

• {c u ...,c n } n {c\,...,c' m ) - 

and where ||9 =0 [cj!ef| p . and ||9_ |"cy?^-.Pyj denote = lnif]q>. 



The proofs for Theorem 13.1 II and Theorem 13.121 require us to work at a tighter relation than 
process structural equivalence for the intermediary steps of an evaluation, namely a defined in 
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Definition 13.151 because process structural equivalence, =, loses information wrt. the currently 
owned permissions of a system. The relation ~ lies between system structural equivalence and the 
respective process structural equivalence after confinement erasure (cf. Proposition 13.161 ) 

Definition 3.15 (Equivalence up-to owned permissions). S ~ T is defined as the least relation 
satisfying the following rules: 

S i s 5 2 T\ ~ T2 S i ~ S2 S 1 = 52 a Tj. = T\ 

\P\ a sTPi s5 2 ||r 2 (newc)S! ~(newc)S 2 5i sr, 

Proposition 3.16. S = T implies S ~T implies \S\ - \T\ 

Note that |5| = \T\ does not imply 5 ~ T. For instance, HT'IIGWI = \IP\ II TGl^ I but 
IP\\QW$tP] P \\lQV 

Lemma 3.17 (Properties of ~ with respect to reductions). 

(1) S £ r ant/ r — > T' ancf S-/-> err implies S — > S' and S' 2 T' 

(2) S £ r ant/ Sn/ implies T -/-> 

Proof. See Appendix IA.2I □ 

The system relation ~ allows us to specify a tighter relationship which characterises more 
precisely Partial Confluence, i.e., Lemma [3. 181 This is then used to prove Lemma l3.21l upon which 
Theorem l3. 1 1 I rests. We here relegate the proofs of Lemmas used by Lemma l3.21l to Appendix IA.2I 
Note also that Lemma 13.131 stated earlier to give an intuition for how linear permissions ensure 
confluence, follows immediately from Lemma l3.18l and Proposition 13. 161 

Lemma 3.18 (Partial Confluence). S — > T\ and S — > T2 implies either of the following: 

(1) T Y ~ T 2 or; 

(2) 3Tj, . T\ — > Tt, and T2 — > T3 

Proof See Appendix I A. 21 □ 

def 

Definition 3.19 (System Evaluation Predicates). S\i = 3T.S JiT 

Lemma 3.20 (Evaluation Preservation for s). 

S ~ T and Sll and T — > T implies S — > S' where S' ~ T' and 5"JJ. 

Proof See Appendix I A. 21 □ 

Lemma 3.21 (Evaluation and ~). 

S s T and S — >" 5'/ and T — > m T'Y implies S' 2 T' and n — m 

Proof. By (strong) induction on the number of reductions leading to a safely-stable system from 
any system 5 — 5'. 

n = : By S -f-* and Lemma [3.17r 2) we know T -/-> which implies m - and T = T ~ S . 
n = k + 1 : We have 

3S" such that S — » 5" — »* 5' (3.1) 
Lemma 13/71 and 5 V, TW implies 

S -/^ en and T -h cu 
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and S — > S" and Lemma l3.17H ) implies that m > i.e., 

3T" such that T — > T" T (3.2) 

Moreover, 5 — >" 5 V and T — > w TV imply 5^5', W respectively, and by S ~ T, 
S — > 5" and Lemma l3.20l we obtain 

3T U T[, I such that T — > T\ (3.3) 

Ti-5" (3.4) 

Ti — T[S (3.5) 

By S" — S' from TO . (f3T4b . (1331 ) and I.H. we obtain 

5' * rj and/ = jk (3.6) 

i.e., 7^ — > k T^y. Now by Lemma |3.18l ( 13.3D and T — > T" from 03.21 ) we have two sub-cases: 

Ti at T": By ((33) and (EU) we know Ti — >* ry and by, T" -^ m ~ l V from (O I.H. we 
deduce 

T' a r| and (m- 1) = & 

and by transitivity and (13.61 ) we conclude T' ~ S' and ra = (&+l) = ?ias required. 

Ti — > Tj and T" — > Ty. We here have two further sub-cases: 

3T' V h such that T 3 T^V : This implies T\ -^ h+l T'^V and by (I3TTT) . (f374b and I.H. we 
obtain 

7^ sS'and(/i + l) = /c (3.7) 
We also know that T" — > h+l TW and by d3J]> we obtain T" — ry and, since 



T" at T" (reflexivity of at), using (13.21 ) and I.H. we obtain 

7^ at T and (m - 1) = k 
which, first implies m = (k + 1) = n and then, by (13 -7b . implies T at S' as required. 
T3 ^ : By Ti — > Tj,T\ at T\ (reflexivity of ~), (13.51) and Lemma [3 .201 we know 

3J 4 , i such that 7^ — > T A (3.8) 
T 4 a T 3 (3.9) 

r 4 — > ; ry (3.10) 

Similarly, by T" — > T 3 , T" a T", (IPl . TV and Lemma[l20] 

3r 5 , T' s , j such that T" — > T 5 (3.11) 
T 5 a 7 3 (3.12) 
T 5 ^ J T' 5 y (3.13) 
Now 43J2) and dXTOl imply Ti — ry and by BM . Ti s Ti and I.H. we obtain 

T' 4 at T[ at S' and (i + I) - k i.e.,T 4 — T'^ (3.14) 

Moreover, d3T9"l), (13. 121 ) and transitivity imply T 4 ~ T 5 , and by (13. 14b . (13.131 ) and I.H. we 
obtain 

T'~T' 4 ~S' and 7 = (it - 1) (3.15) 
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By (I37TTT) and dSTBTl we obtain T" — T' 5 and by T" at T", and I.H. we obtain 

T' ~T' 5 ~ S' and (m-1) = k 
which also implies m = (k + I) = n as required. □ 

Theorem l3.11l (Evaluation Determinism). SJJTi and SW.T2 implies \Ti\ = \T%\ 

Proof. By reflexivity we know S ~ S and by Lemma 13.211 we know T\ ~ T2 which, by Proposi- 
tion l3~T6l implies | T { \ = \ T 2 I . □ 

Convergence for systems, Theorem 13. 12[ largely follows from Lemma [3 .201 and Lemma 13.21 1 
We prove Theorem l3.12l by generalising the hypothesis to systems related by ~ in Lemma [3 .22 1 so 
as to make the induction go through. 

Lemma 3.22. 5 JJ and S s T implies T JJ, . 

Proof. By induction on n where 5 — >" RY for some witness safely-stable R justifying SJJ,. 
n = : This means that 5 / and thus by Lemma [3.17f 2) we have T -/-> which implies T JJ,. 
n = k + 1 : We have 

S^S'^ k RS (3.16) 

We have two sub-cases. If T -/-* then this trivially implies convergence. Otherwise, if T — > T', 
by Lemma |3.20| we obtain 

S — » S" such that S " * T and S "JJ. (3.17) 

5"'JJ implies that for some m and R', S — > m R'Y, and since S ~ S , by (13.161 ) and Lemma [3.2 II 
this implies that m = k + 1 which means that S" — > k R' . Thus by S" a V from (|3~T7T ) and I.H. 
we obtain T H which implies T JJ,. □ 

Theorem 13.121 (System Evaluation implies System Convergence). SJJ. implies S JJ, 

Proof. Immediate by Lemma 13.22 1 and S 2 5. □ 



3.4. Process Determinism. The second main batch of results relate system evaluations in our re- 
source semantics with process determinism in the unconstrained semantics of Section |2] (cf. Corol- 
lary [3]25]). In particular, Theorem 13.231 states that any well-resourced permission allocation 5 that 
allows a process |5| to evaluate down to a safely-stable system, T, implies that any evaluation for 
process \S \ - in the unconstrained semantics - corresponds, up to structural equivalence, to this sys- 
tem T stripped of its constraining permissions i.e., \T\ = Q whenever |>S|JJ.<2. On the other hand, 
Theorem 13 .241 states that if S evaluates successfully to a safely-stable process, then the correspond- 
ing process \S \ must be convergent. Together, these two theorems effectively state that finding a 
single allocation (narrative) 5 of linear permissions for a process |5 1 that allows it to evaluate to 
some T suffices to show that |5| is deterministic in the unconstrained semantics (Corollary 13.251 ) 

Theorem 3.23 (Process Evaluation Determinism). 5JJ.r, |S|JJ.<2i, |>S|JJ.<22 implies Qi = Q2 = \T\ 

Theorem 3.24 (Process Convergence). S JJ. implies \S \ JJ, 

Corollary 3.25. S JJ. implies \S | is deterministic. 

Proof. By Definition 12. 6[ Theorem 13.231 and Theorem l3.24i □ 
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We next discuss in detail the proofs for Theorem 1 3 . 23 1 and Theorem l3.24[ the reader may safely 
skip them on first reading and proceed to Section [331 

Theorem 13 .23 1 follows directly from Lemma l3.31[ which in turn relies heavily on Lemma l3.28l 
In essence, this lemma states that a system that evaluates to a safely stable system can match any 
sequence of reductions (in the unconstrained semantics) of the system stripped of its constraining 
permission. This lemma is based on Lemma l3.27[ which proves the property for the case of a single 
unconstrained reduction, and also depends on the the property of corrective reductions, Lemma l3.26l 
This lemma states that any system that can evaluate safely, SJJ, is guaranteed to be able to "correct" 
wrong partitioning of permissions (cf. cSpl in Figure |2]) along a particular reduction path that 
result in systems that can not evaluate safely. Stated otherwise, this means that there must exist a 
permission partition that leads to a full evaluation along that particular execution path. 

Lemma 3.26 (Corrective Reductions). 

5 JJ and S — >" T and T JJ implies 3 R such that S — R and R ~ T and R]\. 

Proof. Immediate from Lemma IAT91 from Appendix IA.2I and the fact that S ~ S . □ 

Lemma 3.27 (Reduction Correspondence). 

S JJ and \S | — > Q implies 3R such that S — > + R and \R\ — Q 

Proof. By rule induction on \S | — > Q; see Appendix IA.2I □ 

Lemma 3.28 (Multi-step Reduction Correspondence). 

\S | — > n Q and SI implies S -^ n+m R such that #JJ. and \R\ = Q. 

Proof. Proof by induction on the number of reduction steps that lead to a stable process \S | — >" Q: 
n = : Immediate since Q = \S\ and S — >° S where S JJ.. 

n = k + 1 : This means that 3P such that |5 1 — > P — * k Q. By S JJ and Lemma [3 .27 1 we know: 

3T such that S — »' T, I > and \T\ = P (3.18) 
Thus by P — > k Q, \T\ = P from (|3~18T > and rStr we have 

\T\ Q (3.19) 

At this point we have two cases: 
rjj.: By I.H. implies we deduce that T — > k+m R such that tfJJ and \R\ = Q, and by S — > l T 
from (13.181) we obtain 

5 ^ k+m+I R such that /?JJ and \R\ = Q. 

T I: By S — T from (l3~18T) and Lemma[l26l we know 

3T' such that 5 — T and T a T and T'JJ (3.20) 

Now, by Proposition 13. 1 61 T ~ T and implies \T'\ = \T\. Thus by ( 13.191 ) and rStr we 
deduce \T'\ -^ k Q. Thus by T'JJ and I.H. we obtain V -^ k + m R such that 7?JJ and \R\ = Q, 
and by S — V from (lOOI) we obtain S ^ k+m+l R such that flJJ and \R\ = Q. □ 

Lemma [3.31l uses also Lemma [3.3Q[ which maps stable processes to safely stable systems. 

Lemma 3.29 (Correspondence). 5 — > T implies \S\ — > \T\ or \S\ = \T\ 

Proof. The proof is by rule induction on S — > T and we relegate this to Appendix IA. 21 □ 
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Lemma 3.30 (Correspondence and Termination). \S\-/-* andSl^T implies |r| = |5| 

Proof. By induction on n where S — >" T. The inductive case uses the contrapositive of Lemma |3.29l 
S ee Appendix IA.2I □ 

Lemma 3.31 (Evaluation Determinism). \S IJJ. Q and S jJT implies Q = \T\. 

Proof. \S \1}.Q implies that 

\S\ —* n Q-h for some n (3.21) 

By |S | — >" Q, SW.T and Lemma 1338"! we know that 5 — R such that R\\, and \R\ = Q. Since 
Q (13.211 ), then by Corollary IA.2I we obtain \R\ -/-> and thus, by /?JJ. and Lemma 13.301 we know 
that 

RUT' for some T where \T'\ = \R\ (3.22) 

By 5 -^' 1+m R and R\\T' of (f3T22l) we deduce that S&T' and by S&T and Theorem I33T1 from 
Section [331 we know \T\ - \T'\. Thus by transitivity we obtain \T\ - \T'\ = \R\ = Q as required. □ 

Theorem 13.231 (Process Evaluation Determinism). SliT, |5|JJ.<2i, |5|JJ.22 implies Q\ = Q2 = \T\ 

Proof. By Lemma l3.31l we know Q\ = \T\ and Q2 = \T\ and the required result follows by transi- 
tivity of =. □ 

The theorem relating system evaluation and process convergence uses the following corollary, 
obtained from Proposition 13. 14| of Section [331 

Corollary 3.32. S -h err and S -/-> implies \S \ -/-> 

Proof. Follows from Proposition [3T4l □ 
Theorem 13.241 (Process Convergence). S\\. implies \S\ H 

Proof. By contradiction. Assume that \S\ H- Since, by and Theorem 13.121 any reduction se- 
quence starting from S is finite, by |5 1 ft there must exists a long enough reduction sequence 

15 1 — <2 — > - - - 

where, by Lemma 13.281 5JJ.J and \T\ = Q. Now since TY, then by Corollary 13.321 we must have 
Q-f* which contradicts our assumption. Thus \S\ H. □ 



3.5. Confined Semantics Application. The following examples expound on the use of linear per- 
mission allocations for reasoning about deterministic code. 

Example 3.33. Prg \\ c\ \v\ \\ ci\vi can be shown to be deterministic by finding a permission assign- 
ment for every process below that permits a safe evaluation. 

\Prg] p] || fa !21 P2 || rc 2 !51 P3 JJl rci!(2,4)l w || ^4!^ 

Two possible assignments for pi, p2 and P3 that permit the above evaluation are: 

pi = Uci,4,c 2 ,Tc 4 }, p 2 = {Tci}, p 3 -{Tc 2 } or; (3.23) 

Pl = Uci,|c 2 }, P2 = {Tci,Tc 4 }, p 3 = {Tc 2 } (3.24) 

Stated otherwise, we have at least two possible linear-permission based narratives explaining why 
Prg || ci!vi || c 2 !v 2 is deterministic. For both assignments fci € \i\ and |c4 £ fi 2 must hold for 
the resulting safely-stable system [c\ !(2,4)] |Xl || TqH^' ^ ut tne remaining permissions \,c\, |c 2 and 
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(new c 3 ) 



c 3 !2 || ci?X3.(ci!(2,x 3 ) || c 4 !) 
else c 4 !2 



fc 2 , which are redundant at that point, can arbitrarily be split amongst fii and u. 2 . More specifically, 
recall from Example [277] that 

Prg= (ne\Nc 3 )(Fltr\\DbI) DM = c 2 ?x 2 .c 3 ?x 4 .C! !(x 4 +x 4 ) 

Fitr = ci?xi.if xi <9then c 3 !xi || ci?x 3 . (ci!(xi,x 3 ) || C4!) else c 4 !xi 

Using the permission assignment in ( 13.231 ) we can have the reduction sequence below. Reduction 
(13.251 ) can be derived using the rules cLcl, cStr and cPar from (cf. Figure 13 whereas reduc- 
tion (13.261 ) is derived using cSpl, cPar and cRes; other reductions can be derived in similar fashion. 
For the most part, we have abstract away from structural manipulation of terms, with the exception 
of reduction (13.331 ) which employs cTgh and cStr to discard the redundant scoped channel name c 3 
and the permissions associated with it. 

\ Pr S\lcac^) II Tci!21 {Tcil II rc 2 !51 {Tf2l (3.25) 

(newc3)(rEffr||Dbil {lci , iC2 , Tc4>TC 3 4c3} || rci!21 {Tci) || rc 2 !51 ITc2i ) (3.26) 

(newc 3 )(rEffrl aci>Tc4 , Tc3) || [DbI] {iC2tlC3] || ki!21 {Tci| || \c 2 \5] Uc2] ) (3.27) 
^ r if 2<9then 1 

|irDb71 Uc2>iC3} ||rc 2 !51 {Tc2) (3.28) 
{4,ci,tc 4 ,Tc3>Tci} / 

(new C3 )(k 3 !2 || c 1 ?x 3 .(c 1 !(2,x 3 ) || c 4 !)l {kl , tct , te3>Tci} II \DbI] [iC2tlC3] || rc 2 !5] {Tf2l ) (3.29) 

(newc 3 )(rc 3 !21 |Tc . 3iTci| || rci?x 3 .(ci!(2,x 3 ) || c 4 !)l Uci>tc4} || [DbI\ llC2tlei] \\ rc 2 !51 ITc2} ) (3.30) 
(newc 3 )f ^V 611 1 rci?X3 ; n (ci!(2 ' X3) 11 c ^i^A _ (3.31) 

ij \ iirc3?x 4 .c 1 !(x 4 +x 4 )i UC2ik3iTC2) ; 

(newc 3 )(rci?x 3 .(ci!(2,x 3 ) || c 4 !)l Uci , Tc4 , II rci!(2+2)l {iC2)iC3)Tc2)Tc3>Tci) ) (3.32) 
(newc 3 )(rci!(2,4) || C4!l {lei , TC4 , iea j C3fTci>Tc3>Tci} ) = 

(newc 3 )(rci!(2,4) || c 4 !l Uci , Tc44c2ac3)Tc2)Tc3)Tci) || rnille) (3.33) 
Tci!(2,4) l|c 4 !l {lci , Tc4ac2 , Tc2 , Tci} || (new c 3 ) (rnille) = 

r Cl !(2,4) || c 4 !l Uci)Tc4 , iC2>Tc2 , tci} (3.34) 

rci!(2,4)l {Tciiic2>Tc2} || rc 4 !la Cl ,T C4 )^^err (3-35) 

We highlight two important aspects of this reduction sequence. First, reduction ( 13.301 ) could have 
been interleaved with any of the reductions (13.271) . (13.281 ) and (13.291) while still yielding the same 
safely-stable system; this holds because these reductions are confluent, as the separate permissions 
held by each subsystem attest. Second, we could have opted for a different permission partitioning 
in the reductions ( 13.261 ), ( 13.291) and ( 13.341 ), and still attained a safely-stable system. For instance, 
in (13.261) we could have allocated permission Tc 4 to the process Dbl and, similarly, in the case of 
(13.291 ) permission fc 4 could have been allocated to the process c 3 !2, without altering the eventual 
safely-stable system reached. 

From the fact that (13.351) is safely-stable and the contrapositive of Lemma 13.71 we know that 
permissions were never violated throughout the reduction sequence. Theorem 13.111 guarantees that 
the process part of any system evaluation will be structurally equivalent to ci!(2,4) || c 4 ! and, by 
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Theorem 1 3 . 23 1 and Theorem 13.241 this implies that Prg \\ c\ \v\ \\ C2^-V2 deterministically evaluates to 
c\ !(2,4) || C4! i.e., it always converges. 

From a compositional perspective, permission-sets also delineate the footprint of every pro- 
cess and, indirectly, the requirement for well-resourcing of Definition 13.41 defines an interface for 
detecting race conditions. Consider for example the system: 

,lC2,TC4| 

In order for this system to be safe, it needs the permission ic\ (otherwise it would yield a permission 
violation through rule eIn). Recall the context c\\\ \\ ci\vi || ci ?jc.nil from Example 12.71 which 
had introduced a race condition on inputs on channel c\. In order for this system not to violate 
permissions itself, it must own a permission set u, i.e., \ci !1 1| C2 !v2 ||ci?jc.nil"|„, where ic\ e u. as 
well. However, the separation condition for well-resourcing prohibits us from composing these two 
systems together because their respective permissions are not disjoint i.e., {J,ci, \c%, Tq) J- M- 

Example 3.34. If, in the array a\ \v\ ||. . . ||a„ !v„ to be sorted, we assign the permission set u,,- = {fa,} 
to every element a,!v, and assign the permission set p - {\,a\, . . . , ia n , fr} to Qck(l, n) then it turns 
out that we can show that 

rock(i,n)ipiir«i!vivii...iir« B !v»i MB u t 

for some safely stable system T where 

T = r«l!«ll H J-..|ir«n!"nl,xJII>!lp 

Note how, as in Example 13.331 p in \Qck(l, n)~\ p defines an interface that parallel processes to be 
composed with it to respect, in order for it to evaluate deterministically. 

3.6. Discussion. Process spawning, cSpl, is intentionally non-deterministic: apart from alleviating 
permission annotation!! its non-deterministic nature is in line with the unspecified way that permis- 
sions can be allocated in a confined system. Correspondingly, through Theorem 13.111 and Corol- 
lary 13.251 we have seen how there may be more than one way how to validly distribute permissions 
across processes so as to prove determinacy. 

Since we eventually plan to use confined processes as part of the model for our logic (cf. 
SectionlU), we here opt for the most flexible solution i.e., non-deterministic splits for parallel com- 
position, which permits more narratives explaining process determinism while still restricting the 
permission allocations that can be used. This setup gives better separation of concerns between 
confined process reduction and the model used for our logic. In particular, this model incorporates 
environments describing permission-transfer invariants, apart from confined processes. These envi- 
ronments are however orthogonal to the properties of confined processes derived in this section. In 
fact, their purpose is that of allowing for better compositional analysis when determining assertion 
satisfactions, as we shall see in Section|4]and Section[5] 



The current formulation leads to a more lightweight form of annotation for confined processes. The other alternative 
would have been to extend the definition of parallel composition at the process level and have systems of the form 
''ll (m,ii2)Ql • whereby \i t and \i 2 specify deterministically how p is to be apportioned amongst P and Q. 
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4. Logic 

We define a separation-based logic that enables us to reason about programs that deterministically 
evaluate to stable systems satisfying assertions describing their state. Our logic concentrates more 
on describing data held at asynchronous outputs in stable systems, and abstracts away from issues 
dealing with control for deterministic evaluation. For this reason, the logic semantics is not defined 
directly on bare processes. Instead, the confined processes of Section [3] together with the definitions 
for safe-stability and evaluations, Definition l3.8[ provide the basis for a model to our separation logic 
whereby the permissions owned constitute our units of separation (cf. Definition l3.3l >. Together with 
the associated proof system of Section [5J this amounts to our proposal for a logical framework for 
reasoning over non-interfering concurrent programs. 

4.1. Permission Environments. In our logic, channels have a dual role. Apart from acting as 
a mechanism for communicating data, they also act as delimiters of mutual-exclusion groups of 
resources, modeling condition-critical regions[28]. Each input process clx.P abides to use certain 
permissions in P only after it synchronises on channel c whereas each output-process cle obliges 
to own the permissions guarded by c; these guarded permissions are transferred dynamically upon 
communication on c using rule cCom of Figure |2] and enable us to reason about channel reuse in 
deterministic systems. 

The invariants relating to permission mutual-exclusion are characterised as permission envi- 
ronments, T e Chans — 1 !P(Perm), partial maps associating channels c to permission-sets p. They 
require abiding processes to own all the permissions in p when outputting on c and, dually, allow 
processes to assume the acquisition of all permissions in p when inputting on c. The constraints in 
Definition 14. 1 1 ensure that (1) permission transfer always includes the permission fc to output over 
the communicating channel, but never the capability |c to input over it, as this must already belong 
to the receiving process; (2) environments are suitably closed. 

Definition 4.1 (Permission Environment). T is a finite map from names to permission sets such that: 

(1) forall c g dom(r) [c £ T(c) and Tc e T(c), 

(2) p e cod(r) implies nm(p) c dom(T), 

where nm(p) = f {c | |c e p or Tc e p}. 

4.2. Logical Formulas. Our logic formulas, ranged over by the meta-variables cp,\|/, characterise 
a 'spatial' notion of state for deterministic processes in terms of the data held on asynchronous 
channels at stable processes. In order to simplify our conceptual process interpretations, we limit 
ourselves to describing only the states of stable processes, abstracting away from the intermediary 
reductions that lead to stability. For this we require asynchronous output data assertions, c(e), the 
'separated conjunction', cp * wf, and its unit , emp; formulas constructed using just these constructs 
are denoted by the metavariable x and are called state formulas. Guided by Proposition 13.141 sta- 
bility requires our formulas to describe (input) blocked processes, blk(c). Finally, we also describe 
unrestricted terminating process by any whenever we want to abstract away completely from the 
structure of a terminating process. 

Definition 4.2 (Formulas). 

X, 1] £ SFrm : := emp | c(e) | x * X 
cp, \|/ e Frm : : - emp | any | c(e) | blk(c) | cp * cp 
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r,s 


|= emp 


iff5|irnill ; 


r,s 


N any 


iff 


r, s 


\=c(<r> 


iff 5-U. [cle 1 ]^ witheliv, e^vandf(c) c p; 


r, s 


\= blk(c) 


iff SlKnewJ*) |c?£P~| p with c £ <i and c e dom(f); 


r, s 




iff SlKnew^MSi \\S 2 ) with d ( dom(r) and f, S i |= <Pi andf,S 2 N 92; 



Figure 3: Formula Satisfaction 

Our formulas are interpreted over permission environments and well-formed systems, i.e., 
T, 5 |= cp. They are defined in Figure [3j inductively on the structure of closed formulas i.e., 
formulas with no free variables in the expressions e of c(e). Our definition of formula satisfaction 
relies heavily on the evaluation judgement, S&T, which is only defined for closed systems (Def- 
inition [3J3); recall that system evaluation existentialises over a reduction path leading to a stable 
system . 

The satisfaction relation in Figure [3] describes the state of a system once it stabilises. The main 
assertion satisfaction is that for data assertions, c(e), as it relates the data held on asynchronous 
outputs of a stable system with the data stated in the assertion. To do this, the definition relies on the 
assumption that S is closed to establish the equality between the two expressions e and e' . Moreover, 
it uses the environment, T, to ensure that the (stable) asynchronous output owns the permissions 
imposed by the permission guarding invariants. Its use has already been discussed in Section 14.11 
and will be elaborated further when we consider compositional analysis of satisfaction in Section [5] 
Data assertions are typically composed together using the separating conjunction assertion, cpi * cp2, 
and the empty assertion, emp. For the satisfaction for emp, the system fnW]® is chosen to be the 
identity interpretation for our model wrt separation, thereby making the interpretation for just these 
constructs a commutative monoid (cf. Lemma |4~9l ). 

The satisfaction definition of the separating conjunction, qpi * qp2, is however more complicated 
than one would have expected, as it needs to handle conjunctions with blk(c) and any formulas 
as well; the interpretation for the latter two formulas is rather straightforward. Thus, apart from 
relying on the system well-resourcing assumption to guarantee that the partitioned sub-systems are 
separate, 5j ± S2 (cf. Definition 13.3b . satisfaction for the separating conjunction also enforces 
that a system is stable before it is split, i.e., S l\,S 1 \\ S 2- This condition rules out systems whose 
subcomponents satisfy the sub-formulas of a conjunction cpi * cp2, but then violate stability once 
composed together; we return to this later in Example 14.41 The fact that separating conjunction 
ranges over input-blocked processes also requires a satisfaction definition that ignores scoping of 
channel names across separation i.e., 5 , JJ.(new<i)(5i 1152); these scoped names Prefer to channels 
used in the continuations of blocked processes, as explained later in Example 14.31 and cannot be 
abstracted away using structural equivalence rules such as scExt and scNew from Figure 12 
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Example 4.3 (Satisfiability). Recall the process definitions 
Prg = (new c 3 ) (Fltr\\DbT) 

DM = C2?X2-C3?X4.Ci \(X4 + X4) 

Fitr = ci?xi.if xi <9then c 3 !xi || ci?x 3 . (ci !(xi,x 3 ) || C4!) else c 4 !xi 
from Example l2.7l Assuming the environment 

r = ci : {Tci } , c 2 : {TC2} , c 4 : {Tc 4 , |ci } 
we have the following satisfactions: 

r ' Mu^tc*) I' ^ !2 llTnl II rc 2 !51 (Tc2) N C!<2,4> * c 4 <) (4.1) 
T, \Prg || Cl !2 || c 2 !5l Uci4c2iTc4iTcijTc2) |= Cl <2,4> * c 4 () (4.2) 
r,r Cl !(5-3,3 + l)l {Tci) ||rc4!l {Tc4 , ici} Nci<2,4)* C 4<> (4.3) 

whereby, according to the definition in Figure |3j satisfaction is only concerned with the existence of 
a reduction path to a stable system, where the outputs corresponding to data assertions are required 
to own the permissions expected by permission environment T; the reduction path d4.il ) and ( I4.2I ) has 
already been discussed in Example [333] Satisfaction for (14.31 ) is more straightforward to determine 
as the system is stable. On the other hand, for T defined above, the following do not satisfy their 
respective assertions: 

r > r^Wie*,™ II ^1 !2 l0 II rc 2 !51 {T£ . 2l fc£ Cl <2,4> * c 4 () (4.4) 
T, r^l {iC2)Tc4} II ki !21 {Tci) || k 2 !51 {Tc2) fct ci<2,4> * c 4 <> (4.5) 
r,r{ci!}(5-3,3+l)l {Tci} ||rc 4 !l {Tc4} ttci<2,4)*C4{) (4.6) 
r,rci!(2,3)l {tci} || rc 4 !l {Tc4 , kll b* ci<2,4> *c 4 <> (4.7) 

The first two systems fail to satisfy the assertion because they cannot evaluate to safely-stable sys- 
tems due to lack of permission. In particular, in (14.41) process c\ !2 does not own permission |ci 
required for communication (cf. cCom in Figure 12]) whereas in (14.51 ) Prg is missing permission lc\ 
. The third system, (I4.6I ). fails to satisfy the assertion although it is already a safely-stable system, 
as it violates the permission obligations for outputs imposed by T i.e., output c 4 Woes not own per- 
mission lc\. Finally, the fourth system (14.71 ) fails to satisfy the assertion due to a mismatch between 
the data expected by the assertions and the data communicated by the outputs. We also have the 



following satisfactions involving the other assertion forms of the logic: 

(r,c 3 :{Tc 3 }), rMt||Db% Cl4c2>Tc44c3) II rci!101 {Tci) || rc 2 !51 {Tc . 2l \= c 4 <10> * blk(c 3 ) (4.8) 

r > Muc^.™ I' rci!101 {TciJ II rc 2 !51 |Tc2) N c 4 <10) * any (4.9) 

r-r^W^) II rci!101 {Tci) II rc 2 !51 ITc2) N any (4.10) 

r,(newc 3 )(rci?.C3!l Uci} ||rc2?.c3?.nill Uc2} ) |= blk(ci) * blk(c 2 ) (4.11) 



Satisfaction (14.81) requires us to extend T to account for the permission invariants of channel c 3 , 
which is not scoped. We also need the input permission J,c 3 as dictated by the satisfaction of the sub- 
assertion blk(c 3 ) in Figure[3] In the subsequent satisfaction, (14.91) . any is used to describe the input- 
blocked process on a scoped channel c 3 that is scoped in Prg (recall that Prg = (new c 3 ) (Fltr\\Dbl)). 
Note also how, in (14.1 II) . since c 3 £ dom(r) (cf. satisfaction for qpi * qp 2 in Figure©, the scoping of 
c 3 does not prohibit us from splitting the system to determine the satisfaction of the subcomponents 
of the formula i.e., blk(ci) and blk(c 2 ). 
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The requirement that satisfaction is limited to safe evaluations in Figure [3] intentionally makes 
certain formulas unsatisfiable. Alternative definitions could have been possible whereby we allow 
systems to temporarily satisfy a formula but then fail to satisfy it as computation progresses, mean- 
ing that the eventual stable system would not necessarily satisfy the formula. However, as discussed 
briefly in the Introduction, in our eventual framework of Section [2 systems will have the dual role 
of acting both as state as well as state-transformers. We therefore opted for the simpler interpreta- 
tion that is conceptually easier to work with and chose a satisfaction interpretation that can be easily 
reasoned about in terms of the eventual stable systems reached. 

Example 4.4 (Unsatisfiability). Formulas such as the ones below are unsatisfiable under the inter- 
pretation given in Figure [3] 

c(5)*c(6> c<l)*blk(c) 

In the first case, i.e., c(5) * c(6), sub-systems respectively satisfying c(5) and c(6) can never be 
merged into a well-resourced system as they must conflict on the permission |c irrespective of the 
narrative chosen, due to the environment constraints set out in Definition 14.11 This is desirable 
because any system satisfying the first formula will create a race condition for any inputs on the 
channel c. 

In later case, i.e., c(l) * blk(c), sub-systems satisfying the sub-formulas of the separating con- 
junction become unstable once they are composed in parallel violating their respective sub-formula 
satisfaction. Hence any such satisfying system would violate the evaluation condition imposed on 
the satisfaction of the conjunct formula cpi * cp2 in Figure [3] In fact, any sub-system S i satisfying 

c(l) must evaluate to a stable system of the form lc\e~\ p where eJJ.1. Similarly any sub-system S2 

-> 

satisfying blk(c) must evaluate to a stable system that is structurally equivalent to (new d) \clx.P~\ yi 

-* . . -> 

(where c £ d). This means that, by the semantics of Section [3| \c\e~\ p \\ (new d)[c?x.P~\ yi is not 

stable, even if it is well-resourced (i.e., p n u. = 0). Our satisfaction definition qpi * cp2 rules out 

this possibility by first requiring the composite system evaluates to a stable system before splitting. 

There are two reasons for this stricter interpretation. First, once the reduction happens leading to an 

evaluation to some other stable state S 3 

lc\e\\\(newd)lclx.P\ — » (newd)\P{\y x \}]^ p \iS 3 

it may be the case that S 3 does not satisfy c(l) * blk(c) anymore. Second, and perhaps more 
importantly, the above reduction can potentially trigger permission-violating or non-terminating 
behaviour in (new d) [PllV-4] ■ For instance, process P may be of the form d\l \\d\2\\d1y.cl(x+y) 

i.e., it has two competing outputs on channel d. This implies that, whereas (new d) \clx.P\ v , is 
safely-stable, its continuation is permission-violating, irrespective of the permissions held at that 
point, because it can hold at most one permission to output on channel d. 

Since structural equivalence is central to Definition [3] (JJ, in Definition 13.81 incoiporates it), sat- 
isfaction abstracts over structurally equivalent systems, which allows us to work up-to structural 
equivalence when reasoning about systems. Moreover, we can also reason about formula satisfac- 
tion from existing system-formula satisfaction and systems that reduce (converge) to them in zero 
or more steps. 

Proposition 4.5 (Satisfaction and Evaluation). Y, S \= cp implies 3T. S JJT and T, T [= cp 
Proposition 4.6 (Structural Eq. and Satisfaction). T, S \= cp and S = T implies T, T \= cp 
Proposition 4.7 (Satisfaction and Convergence). T, S \= cp and T — >* S implies T, T \= cp 
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We overload |= to denote semantic implication amongst formulas in standard fashion. We then 
are able to prove certain properties about our logic, stated in Lemma [4791 

def 

Definition 4.8 (Semantic Implication). cp |= \|/ = r, S |= cp implies r, 5 (= v|/ 
Lemma 4.9 (Formula equivalence). The following bidirectional implications hold: 

(1) emp * cp =|l= (P 

(2) cp] * (cp 2 * cp 3 ) =||= (cpi * cp 2 ) * cp 3 

(3) cp * \|/ =j|= v|/*cp 



4.3. Composing satisfactions. Recall, from Example |4.4[ that the satisfaction of the sub-assertions 
cpi and cp2 does not necessarily imply the satisfaction of the composite assertion, cpi * cp 2 . Never- 
theless it is possible to determine when it is safe to infer this by analysing the structure of the sub- 
formulas. This analysis is formalised as the formula separation judgement, denoted as cpi _L cp 2 and 
defined in Definition 14.101 This judgement relies on the functions edg() and trg() to conservatively 
approximate matching outputs and inputs across sub-systems satisfying the formulas cpi, cp 2 and, 
by prohibiting such matching channel operations, it ensures that no new reductions are introduced 
when sub-systems are composed in parallel. As a result, sub-systems that satisfy sub-formulas in a 
separating conjunction formulas must still satisfy the conjunction formula once composed, as stated 
in Lemma l4. 1 1 1 This formula separation judgement is used later on by the proof system in Section[5] 
to circumvent the construction of problematic formulas such as those discussed in Example 14.41 

Definition 4.10 (Formula Edges, Triggers and Separation). 



edg(cp) d = 



trg(cp) 



def 





(Tc) 

edg(cpi)uedg(cp 2 ) 
undefined 



ltd 

trg(cpi) Utrg(cp 2 ) 
undefined 



if cp = emp or cp = blk(c) 

if cp = c(e) 
if cp = cpi * cp 2 
otherwise 



if cp = emp or cp 
if cp = blk(c) 

if cp = cpi * cp 2 
otherwise 



def 

cp _L \|/ = edg(cp) n trg(\|/) = A edg(\|/) n trg(cp) = 

Lemma 4.11 (Merging Assertions). 

r, S \= cp and V, T \= \\i and S ± T and cp _L \|/ implies T, S \\T \= cp * \|/ 

Proof. See Appendix lA.3l □ 

Note that, for a number of conjunctions, the sub-formulas are trivially separate making formula 
separation checks superfluous. For instance, emp is separate from any formula; also state formulas 
Xi * X2 are trivially separate, %\ _L %2 as stated in Proposition 14.121 

Proposition 4.12. For any environment, Y, state formulas, x, i] and formula cp we have: 

(1) X-L 11 

(2) cp _L emp 

Proof. Immediate from 14 .101 □ 
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5. Proof System 

We complete our framework by developing a compositional proof-system for the logic of $4j inter- 
preted according to the satisfaction of Figure [3] Our sequents, inspired by Hoare triples, have the 
format 

r ; z?h{cp}s m , 

where S is a well-resourced system, cp and \\i are respectively the pre-condition and post-condition, 
T is a permission environment, and b is a boolean expression defined in Figure [T] now serving as a 
boolean formula over our value domain. The system, formulas and boolean condition in a sequent 
are potentially open i.e., that may have free variables. Thus, the meaning of our sequents quantifies 
over all substitutions, cr e Sub that make the boolean condition evaluate to true, and also over all 
systems T e Sys which are separate from S and which satisfy the precondition in the following 
way. 

Definition 5.1 (Sequent satisfaction). 

F,b\= {cp} S {\|/| d = Vcr, T. bo-litt, T, To- \= cpcr, Tcr ±Scr implies T, (T \\S)cr \= ycr 

As in fl9l , our sequents tease apart auxiliary reasoning about our value domain, since determining 
the truth (or otherwise) of these boolean formulas is process-independent. Such disentangling also 
allows us to make refined claims about derivations in our system. For instance, if we limit value 
expressions to Presburger arithmetic, we know that our boolean formula derivations exists and are 
decidable ffl . 

We note that our sequents deal with total-correctness. Formula satisfaction, defined in Figure[3j 
centers around system evaluation, S l\,T, which existentially quantifies over one sequence of system 
reductions. The strength of what may, at first, seem a rather weak behaviour assertion comes from 
the determinism properties afforded by our model of confined processes. In fact, Theorem 13.1 II 
(Evaluation Determinism) allows us to extend such behaviour assertions to universal system be- 
haviour, up-to redundant permissions. What we are ultimately interested in however is universal 
processes behaviour. This can then be retrieved in immediate fashion through Definition 15.61 (Pro- 
cess Satisfaction), defined later in Section l531 Theorem l3.24l (Process Convergence), and ultimately, 
Theorem l3.23l (Process Evaluation Determinism). 

The proof system, defined by the rules in Figure 01 assumes the derivation judgement b\ \= &2 
between two (possibly open) boolean formulas, with the expected property that 

Vcr : Sub. b\ |= £2 and b\cr\\,tt implies b20-\\,tt 

Most of the logical rules are rather intuitive and their 'naturality' is, in part, due to the strong 
substratum provided by process confinement, in terms of absence of races. We have four logical 
axioms where lNil, lBlk and lOut deal with stable systems. More precisely, lNil acts as a wire 
between the precondition and the postcondition, lFls trivialises proofs with an unsatisfiable boolean 
condition, lBlk generates input-blocked process assertions, and lOut generates data assertions. 

The rule lIn is central to the proof system as it is the only rule that consumes part of the pre- 
condition. Together with lOut and lPar they capture process communication in our proof system. 
In particular, they observe the permission mutual-exclusion invariants dictated by the environment, 
whereby the side-condition in lOut, i.e., T(c) c p, forces outputs to own the permissions guarded 
by the mutual exclusion through the side-condition T(c) € p, whereas the premise in lIn permit in- 
puts to assume ownership of these guarded permissions after communication, through the masking 
of these permissions in the conclusion, i.e., p \ T(c). The permission checking side-conditions in 
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Logical Rules 

|c e p 

lNil lFls lBlk- 



T;b h {cp} rnillp {cp} F; false h {cp}S {\|/} Y;b h {empl rc?£/ , ] p {blk(c)} 

r(c) s p |c e p T; Z> h {cp} [P^4] p ||5 { V } 



lOut lIn- 



r;fc h {emp} fc!^ {c<^)} T;b h {cp * c<^)} |V?^W) II* W 



lIf lDef- 



r;i>! h{cp} pf ft 2 then P else ei p ||S for} r ; /?h{cp} [ ] II S W 

r;fo h {qpi} S * cp 3 } cp 2 ±cp 3 

F-b h {cp 2 *cp 3 } r {\|/ 2 } T;/7 h {cp} fPl p II rGl^llS 



lPar lSpl- 



r;foh{ ( pi*cp2}S||7'{ Vl * V2 } r;feh{cp} r^HCWIs W 

r; h {(p} S {i|f} r; t- {cp} (new c) I^Wad II S W 

lRes lLcl- 



T\c;b\- {cp} (new«?)S {y\c} F;b h {cp} r(newc)F| p ||5 {y} 
Structural Rules 

r; ft h {cp} S W b |= x = e 5 J e M M74 

lInst lSub- 



r ; bm h {qpFM} 5 r/4 tvr/4) r ; fr h {cp} s M 

r;fo' h (cpi) r {yi} dgfn(T,cp,i|/,S) 

fo|=fo'( f i[=(p 1 5 , s7 , vi|=\|/ r; h {cp} 5 M 

lImp lRen- 



T;b h {cp} 5 {y} r|i};6h Sf^B {yfj^/cll} 



Figure 4: Sequent Rules 

the axioms lOut and lBlk ensure that stable systems are safe; similarly, the permission checking 
side-condition in lIn ensures that evaluations are also safe - recall that any permission violation is 
propagated down to the eventual stable system by Lemma 1X71 

The system parallel composition rule (lPar) is central to our proof system. It is the only rule that 
allows us to introduce a cut-middle formula in the hypotheses, CP3. The asymmetry in the hypotheses 
of this rule guarantees the existence of a reduction sequence across two independently verified sub- 
systems since the unidirectional cut disallows mutual dependencies across the premise sequents; this 
prevents deadlocks and ensures total correctness. lPar also carries two side-conditions, w/\ ± w/2 and 
cp2 ± cp3, denoting formula separation, defined in Definition 14. 101 

The proof system also has a rule for process parallel composition, (lSpl), which forces a parti- 
tioning of permission-resources, analogously to cSpl from Figure 12 similarly, the process scoping 
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rule (lLcl) follows rule cLcl from Figured The system scoping rule (lRes) restricts the permission- 
guarding invariants relating to the scoped channels and filters assertions blocked by the scoping 
using the function \|/ \ c, as defined in Definition 15.21 ; in particular this function over-approximates 
to any any message state assertions and input-blocked assertions affected by the name scoping of 
the restriction. lRes also uses an environment restriction operation T\c defined in Definition! 



Definition 5.2 (Formula Restriction). 

'd{e) 



cp \c 



clef 



blk(J) 
emp 

(cpi \ 6) * (cp 2 \ ^ 
any 



Definition 5.3 (Environment Restriction). 

f0 



r\ c 



def 



{Y'\c),d:(p\{icAc} 



if cp = d(e) and d £ c 
if cp = blk(<f) and die 
if cp = emp 

if cp = cpi * cp2 
otherwise 



ifr = 

ifr = r',c:p 

if r = T', d : p and c + d 



Proposition 5.4. If T is a permission environment then T\c is as well. 

Proof. It is immediate to check that Definition 14. 11 is still observed by T \ c, in particular that it is 
suitably closed (Definition 14.1 1 2). 

The remaining logical rules are fairly straightforward. In the conditional proof rule lIf, the hy- 
potheses on each branch are augmented with the corresponding assertion, as usual in Hoare logics; 
this mechanism works in pairs with the structural rule lFls which trivialises the proof obligations on 
unreachable branches. lDef completes the treatment of the logical rules in the obvious way. Note 
that rules lIn and lDef abuse the substitution notation, extending it from values to (possibly open) 
expressions. 

The proof system also has a number of structural rules. The rule (lInst) permits instantiations 
of generic sequents whereas (lSub) permits substitutions of expressions to variables that can be 
inferred to be equivalent from the sequent boolean expression. The rule lRen renames channel 
names in sequents; the rule side-condition guarantees that the name d is fresh which make renaming 
injective. Finally, (lImp) endows proofs with a basic understanding of structural equivalence, =, and 
of logical implication, |=. 



5.1. Derived Rules. Although lPar is used extensively when proving properties of parallel com- 
municating processes, it turns out that we often do not require its full power which makes it some- 
what cumbersome to use. We therefore derive lightweight versions of lPar, enabling parallel code 
to be either logically sequenced thereby focussing on cutting intermediary formulas (lCut), or else 
considered totally separate, where composite pre-conditions are assumed to produce composite 
post-conditions (lSep). These derived rules require fewer side-conditions relating to formula sep- 
aration. For instance, lCut disposes of the side-conditions entirely, and lSep limits them to one 
check. 

r;6h{cpi}S {y} r;£h{cpi}S 

T; b h {y} T |cp 2 l T; b h |cp 2 } T { ¥2 } Vl JL ¥2 

lCut lSep 

T; b h {cpi } S || T |cp 2 } T; b F {cpi * cp 2 } S || T {yi * \|/ 2 } 
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For state formula pre and postconditions, an even simpler version lSep is obtained by Corollary. 
14.121 i.e., lSepSt, which requires no side-conditions at all. 

r^hfjujs (xi) T-b h M t ixi) 

lSepSt 

Y;b h {rii * r] 2 } 5 || T (xi *X2) 

The derivations of these lightweight parallel rules are straightforward and use formula semantic 

implications from Lemma 14.91 together with properties for formula separation from Proposition 

I4TT21 See Appendix [Al 

The output axiom rule lOut appears frequently in most derivations using our proof system. We 
find it convenient to formulate another derived rule that facilitates comparisons between the expres- 
sion outputted by the process and that specified by the state formula, even when these expressions 
do not syntactically match. 

b N e{=e2 T(c) cp 

lOutD 

T;Z>h {emp} \c\e\\ {c<el>} 

Dually, the rule lIn is used frequently to dispose of cut-formulas. However the direct use of this rule 
can become unwieldy due to necessary system structural manipulations required to get the system 
in form required by the rule. A more convenient version can be derived that abstracts away from 
structural equivalence manipulations. 

T = \cUP] mc) \\S icep Y;b \- {cp} \pfffl] p II 5 {y} 

lInD 

Y;b h {cp*c(e>} T {\sf} 

The proofs for these derived rules are straightforward and relegated to Appendix IA.4I 

Derived rules similar to lIn can be obtained for lDef, lIf lSpl and lLcl using an analogous 
derivation. In Section [6] we shall often abuse this fact and use the derived rule named as the respec- 
tive proof rule while at the same time abstracting away from structural manipulations. 



5.2. Frame Rule. The frame rule embodies local reasoning in separation-based logics [33]. For 
satisfiable post-conditions, a variant of the frame rule can be derived in our proof system. 

Y;b h {qpi} 5 jcp 2 } cp 2 _L \|/ 



lFrm- 



Y\b h {cpi * \)/} S |cp2 * \)/} 
Moreover, for the special case when the pre and post conditions are state formulas, the frame rule 
eliminates the need for the side condition as stated below. 

r;6Mxi}S (X2l 



lFrmSt- 



Y;b\- (xi *T|} S |X2 * ill 

We here show the derivation for the more general version of frame rule, i.e., lFrm, using the proof 
rules (lNil), (lPar) and (lImpl) and the structural rule S \\ Tnillg = 5. 

lNil 



Y;b h {cpi} S {q) 2 } Y\b h \m\\{\y\ cp 2 _L v? 

Y;bh {(pi * \\f} S || rnil1 {cp 2 * \|/| 5=5 || fnillQ L E? 

Y;b h {cpi *\\f} S |cp 2 * v|/} 



Our proof-system is sound with respect to Definition [5j] 

Theorem 5.5 (Soundness). Y;b\- {cp} 5 {\|/} implies Y,b \= {cp}5 {\|/} . 
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Proof. By rule induction on T; b \- {cp} S {\|/}. We here show the main rules: 
lOut: For arbitrary o~, T we have: 



and the side-condition 



By Figure [3] and ( 15.21 ) we know 



bcr&tt (5.1) 

F,To- \= empcr (5.2) 

To-±\c\e] p o- (5.3) 

T(c) c p (5.4) 



TVMnill© (5.5) 

By (15.31 ) we know that Ta || [c!e] p <x is well-resourced. Moreover, by (15.51 ) and cPar and scNil 
of Figure [2] we deduce 

To-\\ \c\<?\ p o~ — >• rnill 1| \c\<?] p o~ = \c\<f] p a (5.6) 

Clearly, [c!^l p cr Moreover by the conditions imposed on environment mappings in Def- 
inition 14.11 we know \c e T(c) and thus by ( 15.41 ) we deduce that fc e p and hence that 
[c!e] p cr -/-> err . As a result, from ( 15.61 ) we obtain Tcr \\ \c\e\ p o~§, \c\e\ p cr and for some v 
where gp-Jlv and by ( 15.41 ) and Figure|3lwe obtain T, (T II |"c!g]p)cr |= {c(e)cr). 
lIn: For arbitrary cr, T we have: 

baUt (5.7) 
r,rcr |= (cp *c(e))o- (5.8) 
ro-X(rc?£Pl pVrXc) ||,S)cr (5.9) 



and the side-condition 



By (15.81 ) and Figure |3] we know 



icep (5.10) 



Tli{newd)(T Y \\T 2 ) (5.11) 

where J g dom(r) (5.12) 

T,T Y ^(po- (5.13) 

and T, T 2 \= c(e)o- (5.14) 
By T, T 2 \= c{e)cr and Figure |3] we know 

Till l^-e']^ where &r)$, ety? and T(c) c |x (5. 15) 

By ( 15.91 ) we know Tcr ± (\c?x.P] p \ T ^ \\ S)o- is well-resourced and by ( 15.121 ) and T(c) c of 

(15.151 ) we know that c $ d and that J $ nm(u). Thus by (I5.11I ). (15.151 ) and cPar, cCom, (15.121 ) 
and scExt we obtain 

To-\\(\cUP] mc) \\S)o- (new^(r 1 )||[c!^l [i H([c?£Pl pVr(c) [|5) £ r (5.16) 

(new j)(T0 || \c\2] || ([c?£Pl pXr(c) ||S)cr (new^Tj || ([c?^]^ ||5)cr (5.17) 
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By (15.161 ) and Lemma l3~76l we know that (new d) (T\) \\ {\clx.P~\ 9 \ T(c) \\S)cr is well-resourced, and 
by T(c) c u, of (15. 151 ) we deduce that 



(n&Nd)Ti±(\Pm\ p \\S)(r (5.18) 
By ( 157131 ), (157T21 and Lemma I7Q71 we obtain 

T, (new cf)Ti \= cpcr 

and thus by (|57Tb , (15- 18b . the premise T;b\- jcp) [P{|^|}] ||5 {\|/} and I.H. we obtain 

r, (newfe || ([i»fl^||l p II S )(t \= Mfa (5.19) 

By eo-yof dSHSJ and Lemma |706] we get T, (new d)^ || ([Pfl^l}] || 5)cr |= ycr. Moreover 
by Lemma |A. 23 1 we also obtain 

r, (new^Pj ||([p#4l pU[1 ll5)cr |= w 

Thus by $5JM , dSHU) and Proposition O we obtain T, T<r \\ (|"c?£P"| pW(c) \\S)cr \= ycr as 
required. 
lPar: For arbitrary o~, R we have: 

bo-^tt (5.20) 

T, Ra \= (<p! * q) 2 )tr (5.21) 

Per _L So~\\To~ (5.22) 

and side-conditions 

cp 2 i- cp 3 (5.23) 

Vi - 1 (5.24) 

By (15.211 ) we know 

P<rJi(newc)(Pil|P2) (5.25) 

where c $ dom(r) (5.26) 

T,Pi \= cp 1( r (5.27) 

andT, P 2 |= (p 2 cr (5.28) 
By (15.251) . (15.221 ) and Lemma[7376]we know 

Pi J- P 2 (5.29) 

and Pi ± So-\\Tcr (5.30) 

andP 2 ± So-\\Tcr (5.31) 

By (157201 . (I5727T ). Pi ± S cr from (1757301 and I.H. we have r, R\ \\Scr \= (yi * cp 3 )<x and from the 
satisfaction definition of Figure [3] we obtain 

R l \\Scr\l(newd){S l \\S 2 ) (5.32) 

where 3 $ dom(r) (5.33) 

r, Si \= yicr (5.34) 

and T, S 2 \= 930- (5.35) 
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By d5T29b and (I53TT ) we know R\ \\S o~ _L R 2 . Thus, by (15321 ) and Lemma|33]we derive S i ± /? 2 , 
and by (15.28b . (15.351) . the rule side-condition (15.231) and Lemma l4.11l we obtain 

r,R 2 \\S 2 N (qp 2 *<P3>r (5-36) 

Using d5T29l > and (15321) we can also derive R 2 II 5 2 J- Tcr and by (HTlQl . (15361 ) and I.H. we derive 

r,/? 2 ||5 2 ||rcr |= ¥2 cr (5.37) 

By (15.291) and (15.321 ) we also derive S i J. (7? 2 || S 2 \\ T) and by the rule side-condition (15.241) and 
Lemma l4.11l we obtain 

r, Si\\R 2 \\S 2 \\Tcr |= * y 2 )cr 

Thus by ( f5T26T >. d533l and Lemma lATTl we deduce 

T, (new (5 1 \\R 2 \\S 2 II T) or |= (yi*y 2 )cr (5.38) 

From (15.25b . (15.321) . cPar, cRes, cStr and scExt we derive 

Rtr\\S<r\\T<r — >*= (newc)(Ri\\R 2 \\So-\\Tcr) (newc, if) (Si \\R 2 \\S 2 \\Tcr) 

and by (15.38b . Proposition I4.7l and Proposition 14.61 we obtain T, Rcr\\S cr\\ Tcr \= (\\r\ * \\r 2 )cr as 
required. □ 



5.3. Process Sequent Satisfaction. We conclude this section with Definition 15.61 which extends 
sequent satisfaction to processes by assuming the existence of a permission environment and the 
respective permission-set, required by the satisfaction definition of Figure [3] This allows for the 
possibility of having multiple narratives explaining determinism, and is in line with the "ownership 
is in the eye of the asserter" principle 11281 . 

Definition 5.6 (Process Sequent Satisfaction). 

b \= {cp}P{\|/} = exists T, p such that Y,b\= {cp} T^lp {y} 
Example 5.7. According to !5.6l we can now state that Prg, from Example |277] satisfies the property 

x<9\= { Cl (x) * c 2 (y)} Prg { Cl (x, 2x) * c 4 <)}, (5.39) 

while abstracting over the narrative as to why Prg is deterministic. It can be read as saying that, 
given two values x and y on channels c\ and c 2 respectively, Prg returns the value of x together 
with its double on c\ and a signal on C4, provided that the value of x is less than 10. Mirroring the 
previous discussion in Example l2.7l Prg also satisfies the property 

x>9\={ Cl (x)* c 2 {y)} Prg |c 4 <x> * any}, (5.40) 

where any abstracts over the blocked code (newc3) (c^lx^.ci \(x4+X4)), as described earlier in Ex- 
ample 03] 

We are also in a position to specify the correctness of our quicksort algorithm through some 
macro definitions for compactness. 
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Example 5.8 (Specifying Correctness for Parallel Quicksort). The expected behaviour of Qck(i, j) 
from Example l2.8l can be expressed through the sequent satisfaction 

(ordtf/) A jtj = ?/) MA-tf/M QcW*j) {A^/)*r(>} (5.41) 

using the following macro definitions, whereby xj denotes lists of variables Xj . . . xj when i < j and 
the empty-list e otherwise 



, N def I emp if i > j 

Uiixi) * A{ +1 (^ +1 ) if i < 7 



def true if i = j 

ord(x /) = I , 

< x !+ i A ord(x/ +1 ) if i < j 

true if i = j 

-tj _;_ -fj def I 

The specification of (15.411 ) above states that when Qck(i, j) is composed with an array of arbitrary 
values on channels ai...aj, denoted by the assertion macro Ajix-), it returns another array of 

values on the same channel list, Aj(f-), together with a signal on channel r denoting completion. 
Moreover, the values returned are 

(1) ordered, expressed as the predicate ord(y^) 

(2) equal, up to reordering, to the original values, expressed as the predicate x. = y- . 



6. Application 

We conclude by revisiting the properties stated in Section 15.31 and show how our proof-system can 
be used to prove properties about them. In Example 16.11 we see how proofs about concurrent code 
are performed by running through only one possible reduction trace, even when other interleavings 
are possible. The main appeal of these proofs is however their amenability to compositionality as 
shown in Example 16.21 In this example proof, the behaviour of sub-programs is verified in terms 
of their pre and post conditions only, without any concern towards external interference from other 
concurrent code. Independently verified sub-programs are then merged together using lPar (and its 
variants lCut, lSep and lSepSt), as long as the sub-programs are separate wrt the permissions that 
they own. 

Example 6.1 (Proving Satisfiability). We prove the specifications (15.391 ) and (15.401 ) stated earlier 
in Example 15 .7 1 by first augmenting the satisfaction specification with an appropriate narrative for 
determinism as stated in Definition 15.61 One possible narrative is the permission-set {ic\, \,c%, Tq} 
together with the permission-transfer invariants 

T = c\ :{Tci}, c 2 :{1c2}, c 4 : {Tc 4 , ki) 

yielding the system specification 

T,x < 9 \= {ci<x> * c 2 (y)} r^l aci> i C2> tc4) ici(x,2x) * c 4 <>} (6.1) 

Another possible narrative is the permission-set {J,ci, IC2} and the environment 

r" = c\ :{Tci,Tc 4 }, c 2 :{1c2}, c 4 :{Tc 4 , ic\\ 
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yielding a different intensional specification explaining the process determinism below: 

r, x < 9 \= { Cl (x) * c 2 (y)} \Prg\ lculC2] {ci(x, 2x) * c 4 <)} 

We here focus on the specification with the first narrative, (16.ll ). which by Theorem 15.51 follows 
from the proof of the sequent 

r; x < 9 h { Cl (x) * c 2 (y>} \Prg\ lculC2trc4] ^< x ^ 2x > * c 4<» (6.2) 

Since Prg = (new C3) (Fltr\\Dbl), we prove (16.21 ) by applying the proof rules lDef followed by lLcl 
and lRes, which leaves us with the following sequent to prove 

T"; x < 9 h (ci(x) * c 2 (y)} lFltr\\DbI\ {lculC2tlc ^ C3>U4] { Cl (x, 2x) * c 4 <» (6.3) 

where Y" is the extended environment Y" - Y, C3 : {fc3, Note that, through lRes, in (16.31) we 
have also increased the permissions owned by the system with J,C3 and fc3 , the permissions relevant 
to the scope of C3, opened by lRes. Moreover for lRes, the post-condition is unaffected in this case, 
i.e., according to Definition I5. 21 (n (x. 2x) * c 4 ()) \ C3 = c\(x,2x) * c 4 ()- After applying the logical 
rule lSpl, followed by two applications of lDef for Fltr and Dbl we are left with 

ci?Jti.if x\ <9then 

c 3 !xi ||ci?X3.(ci!(xi,x 3 )||c 4 !) 
else c\\x\ 

| rC2?^2-C3?X 4 .Ci!(X4 + X 4 )l Uc2jk3| 

We proceed by applying lIn twice for c\ and c 2 (in any order) and then by applying lIf, which gives 
us one unreachable branch since x < 9 A ->(x < 9) => false; this can be discharged by lImpl and the 
axiom lFls. The reachable premise can be proved as follows; we elide the environment and boolean 
condition from the sequents below as they remain unchanged throughout: 

r"( Cl )c{t Cl } 



T"; x<9 h { Cl <x> * c 2 <y>} 



Uci,Tc 3 ,Tc 4 } 



{ci(x, 2x) * c 4 <>} 



(emp) rci!Jc,2xl (Tci) {ci{x,2x}} 
r"(c 4 )Q{le u Tc 4 } 



lOut 



jempj lc 4 \] w 



k'4<» 



lOut 



jempj rci!(x,2x)l {Tci ,||rc4!lu cl ,t C4 } (c]<x,2x> * c 4 <» 
jempj rci!(x,2jc)||c 4 !l (ici ,i. C4 ,i. CI ) {ci(x,2x) * c 4 (» 
(ci(2x>) [ci?jj3.(ci!(x,X3)||c 4 !)l {i( . IjT( . 4 , (ci<x,2x> * c 4 <» 

x + x = 2x r"(c,) C {|c 2 , |c 3 , Tc 2 , Tci, Tc 3 ) 



lSepSt 
lSpl 



lIn 



jempj rci!(x+x)l {iC24c3itC2itci>Tc3 } {ci(2x» 



lOutD 



jempj 



r"(c3)c(Tc,,Tc 3 ) 



rci?x 3 .(fi!(x,X3)||c 4 !)l Uc . liTc . 4| 
|| rci!(x+x)l {1C2<k3iTc2>Tci>Tc3 } 



lCut 



jC!<X, 2x> * c 4 <)| 



jempj rc3^1j Tci , Tt .,j lc 3 (x)} 



lOut 



{C3<X>} 



rc 1 ?x 3 .(c 1 !(x,x 3 )||c 4 !)l UciTt . 4| 
|| rc 3 ?x 4 .ci!(x 4 +X4)l {iC2>iC3 , tC2 } 



lIn 



(C!<X, 2x) * c 4 <» 



jempj rc 3 !xlj Tci T£ . 3 } || |~ci?x 3 . (a !(x,x 3 )||c 4 !)l Uci Tt . 4 | || |c3?x 4 .ci ! (^4+*t)l{ lc2jC3 , Tc2 } (ci<*,2x> * c 4 (>} 



lCut 
lSpl 



(emp) rc3!*l|ci?JC3.(ci!(x,x 3 )||c 4 !)lj iciT£ . lT£ . 3T£ . 4 j || |"c 3 ?x 4 .ci K*4+X4)l{ te , iC3 , Tc2 } |c,(i,2i}tc 4 0| 
Similarly, the proof for the second specification ( I5.40I ) in Example |5.7| can also be proved by the 
sequent: 

Y; x>9 h {ci(x) * c 2 (y)) r^l Uci ,| C2 , Tc4) {c 4 (x>*any}, (6.4) 
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The proof is similar to that of (16.2I ). where we first apply lDef, lLcl and lRes, which leaves us with 
the following sequent: 

r"; x>9 Mci<x)*c 2 <j)} \Fltr\\DbI\ {lculC2tlC3) ^ C4] {c 4 (x> * blk(c 3 )} (6.5) 

where, this time, we have the premise postcondition obtained as c 4 (x) * blk(c3) \ C3 = c 4 (x) * any 
according to Definition 15.21 Again, similar to the proof for (16.21 ). we apply lSpl to (16.51 ) followed 
by two applications of lDef for Fltr and DM. Then we apply lIn twice for c\ and C2 to consume 
the state formula in the precondition, and then by applying lIf. This time, the rule for conditional 
gives us a different unreachable branch since x>9Ax<9=> false. The reachable premise can be 
proved as follows: 

r"(f 4 ) £ (J. Cl ,tc,,Tc3,Tc 4 ) 

lOut 

(emp) rc 4 !xlj ici , Tci-Tc3>Tc4 | {C4<*M 

J.C3 6 {J,C 2 , lC3,1c 2 } 



lBlk 



: (emp| fc 3 7x 4 .ci\(x4+X4)]i lc , k Tc . 2 > (blk(c 3 )) c 4 (x) X blk(c 3 ) 

— — ■ — - lSep 

{c 4 <*> * blk(c 3 )} 

Example 6.2 (Proving Correctness for Parallel Quicksort). To prove the correctness property d5.41| ) 
for Qck(i, j), as stated in Example 15.81 we choose a narrative where the environment is 

r = aj: {Ta ; }, af. {Tay}, r: p(r,i,j) 

and Qck(i, j) owns the permission set p(r, i, j) defined as 

def 

p(x,i,f) - [Jx, ia t , . . . iaj} . 

The permissions associated with r express the fact that the array can only be read after the signal 
denoting completion is consumed. 

We argue, by induction on n - j - i (where i < j), that if we show that the following sequent 
holds for arbitrary i and /, 

T; (ordO^A^-^) h (a/<^/>) \Qck{i, f)] p(rAJ) {a/<#> * r<)} (6.6) 

this would imply correctness for Qck(i, j) with the above narrative i.e., 

T, (ord(y/) A %*/ — y-^ \= {A/(£ ; » rQc^/,;)!^) {A/<#> * r<>} 

which, by Definition l5.6[ would prove the satisfaction (15-4 1 b - 

For the base case of (16.61) . i.e., n = assuming / = j as part of the sequent boolean expression, 
we trivially prove the sequent using lIf, the state frame rule, lFrmSt, and lOut as shown below. In 
what follows, we often elide the sequent environment and boolean condition from our proofs. 

lOut 



{emp} [rl ] p{rJJ) {r(>} 

lFrmSt 



{A/<^)} rr!l pW , j0 {A/(^)*r(>} 
lSub lFls 

{A/<xy>} in i p(nU1 {,\/ov> * r<>} {a;<< ; >} r. . . i P(r , y) |a;o- ; > * r<>} 

< — : — n ( — : — : ; L 1 F 

{A/(f 7 >} pf i = 7'then r! else . . . 1^ [Afty) * r()} 

: r-r : — : : : lDef 

A/<^)} \Qck(i,m p(rJJ) [A>QD*rO} 
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The inductive case, n + \ - j—i, i.e., adding i < j to the sequent boolean expression, assumes 
that the property holds for all m < n, i.e., all m < j - i (the inductive hypothesis), and follows from 
proving the following two sequents 



(6.7) 



Af 1 ^- 1 )*^) 

* A p + l<? + l>* r 3<^> 



r3?x.(new n,r 2 ) 
Qck(i,x-\)[ri/r] 

|| Qck(x+l,j)[n/r] 



r\t.r 2 t.r\ 



{■-A/Of) * r(>) (6.8) 



where Ti extends T with the mapping for i.e., Y\ = T, : p(r3, i, j) and ft is a stronger boolean 
condition defined as: 

b = order/) a £ y ± j// A (y^ 1 = 2f - 1 A f ± ? ) A ( At"/ z k < y P ) a ( AL +1 ^ * a) 



(0 



07) 



It requires intermediary lists of values zf and z J +[ , returned by partitioning Prt(/, /), to be reorder 



ings of the final values yf 1 and y p+l , (0> that the values in zf 1 are less than the pivot, (if), and also 
that the values z p+l are greater than or equal to the pivot, (Hi). 

The proof for sequent (16.61) is derived from (16.71) and (16.81) by applying the derived rule lCut 
which logically sequentialises the two systems; then we apply lInst to substitute yf~ l yi., for 



zf l Zp +l in b (notice that the substitution leaves the pre/post-conditions and the system unchanged 

as zf~ l Zp +l are not free in them), then lImpl to recover the boolean condition (or&iyj) A x! = yV), 
then lRes to recover T from Ti, and finally lLcl and lDef to recover \Qck(i , j)~\ p ( r i j ) . 

The proof of sequent (16.81 ) follows from the following three sequents ( 16.91 ), (16.101 ) and (16.1 II ) 
below, where lRes is used to extend T\ as 

T 2 = Ti,n : p(n,i,p- l),r 2 : p(r 2 ,p + 

to account for the mappings associated with the channels r\ and r 2 . Notice how this rule allows us 
to choose the permission association relating to r\ and r 2 dynamically, depending on the index p 
returned by the partitioning phase of sequent ( 16.7I ). Such data dependencies normally complicate 
similar dependency analyses based on type systems such as 



p+i 



T 2 ;b h (Af- 1 ^- 1 )} \Qck(i,p- Olp^-D {Af 1 ^" 1 ) * n {)} (6.9) 
r «* h (A^ +1 <5 +1 )} lQck(p + (a; +1 <)5 +1 > * r 2 <>) (6.10) 

T 2 ;b h {-\/<y/> * n<> * r 2 <>) rri?.r 2 ?.r!l Uap4n4r2>t( ., j/\/0f) * r<>) (6.11) 



Sequents (16.91 ) and (16.101) follow from the inductive hypotheses. Sequent (16.111) can be easily derived 
using lFrmSt, which eliminates A J .(y*J) from the pre and post conditions, and then applying lIn 
twice for r\ and r 2 respectively, followed by applying lOut once for r; the two inputs on r\ and r 2 
would hand over the permissions \,au . . . , ia p -i and la p +\, . . ., iaj respectively; these are necessary 
for the output on r to be derived. 

We recover the proof of sequent (16.81) as follows. Sequents (16.91 ) and (16.101) can be composed 
together as separate parallel code using lSep, and then extended to include a p (y p ) in the pre and 
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post-conditions using lFrmSt. This allows us to logically sequence these two systems before the 
system \r\l ^1 .rV\^ ,|ri,J./VM °f sequent (16.111) . thereby cutting the pre-condition of this sequent, 
using lCut. Then we scope the two channels r\ and r2 using a combination of lRes, lLcl and 
lSpl (which leaves the pre and post conditions intact since they do not contain any mention of the 
channels r\ and rj), and finally precede this whole system by an input on using lIn, which adds 
r^(p) to the precondition. 

This leaves us with only sequent (16.71) to prove to complete the main proof. This sequent proof 
follows immediately from a proof for the following sequent 

r i;b h K^)) \TMi,j, Xi ,i,i + m p{rMai } { A K2lfy^( P ) } (6 - 12) 

through one application of lIn, which reinstates a,(x;) in the pre-condition, then an application of 
lDef to recove r fPrtj i, j)] p(r3 jjy 

We prove (16.121) by proving the more general sequent 

w 



T,:b' h I 



*AC q - + \W q -\)*A J c {V) 



[TMiJ,Xi,q,c)] p(r3titmUi] { Ai J^Jj^I^ } (6-13) 



(«) C«0 

where b' = b A (i < q < c < j + 1) A (xf^ 1 = w^ 1 ) A ( /\ w k < x t ) A ( f\ x t < w k ). 

k=i+l k=q+\ 
(in) „ ' V 



q c-1 

1 ,-±c— I's 



© (u) 

Sequent (16.131 ) allows us to stratify every iteration of the traversal, thereby proving the sequent 
by induction on n = (j + 1) - c. At each iteration, c, with pivot index q and pivot value x,-, (16.131) 
expects a precondition split into 3 parts: A? +1 (w ; ? j) holds processed values that are less than the 
pivot Xi, (/), A c ^(Wq~\) holds processed values that are greater than or equal to the pivot X{, (ii), and 

A ] c (Xc) is the part of the array that still needs to be traversed. Note also that the values preceding the 
current counter, w-~^ , must be equal, up to reordering, of the values already processed x.~^ , (Hi). 
The base case, i.e., when c = j + 1 (and thus A } c (x } c ) - A ] . +l (x } . +{ ) - emp), establishes the post- 
condition in (16.131 ) whereas the inductive case works up towards the base case, whereby the value 
comparison at every iteration adds to the ordering information expressed by b' . Both proof cases 
use a mixture of rules lIn, lOut, lIf and, lSepSt and lCut in a manner similar to that discussed 
already above; the details are left for the interested reader. 

To obtain ( 16.121 ) from ( 16.131 ), we take q and c to be i and i + 1 respectively. This case makes the 
array assertions A q M {wf +l ) and A c ~+i{w c q ~\) in the precondition of (16.131 ) empty, i.e., A q i+l (w^ +l ) - 

A+i^q+u = ^(+i^;+i^ = em P> which by Lemma l4~9l and lImp, leaves us with A^ +1 (x J +1 ) i.e., the 
precondition of (16- 1 2b - Moreover, for this case the boolean expression b' is of the form b A (i < i < 
i + 1 < j + 1) which is implied by b, i.e., b \= b'. This means that we can recover b for our sequent 
simply by applying lImp as well. 



7. Conclusion 



We have developed a logic for deterministic processes, interpreted over systems whose behaviour is 
confined by sets of linear permissions. We also developed a sound proof system through which we 
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can determine, in compositional fashion, the satisfaction of formulas in this logic. We applied this 
logic and proof system to specify and prove the correctness of an in-place parallel quicksort. 

7.1. Related Work. Modal logics have traditionally been used in process calculi for the specifi- 
cation of behavioural properties. Proof systems for these logics have been developed in a variety 
of settings (e.g., GUI |2j [TJ [12j [13] IH) and some of these have focused on compositional reasoning 
as a means of dealing with the scalability problem (e.g., [2l[T3]|4]]). However, there has been little 
focus on locality of reasoning in these efforts. Approaching compositionality without necessarily 
modelling locality does seem to have been at the expense of general, but long-winded proof rules 
for parallel composition (e.g. ifTBl ). In addition, termination is often not a major focus in these 
logics; in fact, the bisimulation proof technique, often associated with these logics, is insensitive to 
divergence. Termination is central to the logical characterisations that we give in this work. 

Despite the apparent resemblance, spatial logics for process calculi such as (U differ from 
our interpretation of the separating conjunction: we separate on permissions, logical embellishments 
on processes, whereas their logical separation is more intensional and operates on the structure of 
processes, describing parallel composition directly. Moreover, their aims appear to differ from ours 
since they model mobility and channel privacy; we focus on data, non-interference and locality, and 
deal with implicit transfer of permissions. 

Following [28], the use of separation logic to support local reasoning for concurrent programs 
has been studied intensively over the past few years for the shared-variable model of concurrency. 
The initial main idea of ownership transfer of resources between threads impacting upon local rea- 
soning already appears in [28]]. This was then extended to co-exist with Rely/Guarantee reasoning 
ll37l[T5l and recently refined through fractional permissions as Deny/Guarantee reasoning fl4[|. The 
latter is interesting to us as a means of widening our class of programs under analysis. For instance, 
[18 ] uses this approach for dealing with dynamically allocated resource locks. 

Separation Logic has been applied to process calculi on at least two occasions. In [22], they 
give a separation semantics for a variant of the piCalculus, based on traces. Their work differs from 
ours in a number of respects in that they only deal with explicit ownership transfer of resources and 
are not concerned with developing a proof system. In BTll . they also use a process calculus as a 
model for a separation logic. They are quite general wrt. the form of resources and how these are 
transferred across processes and, as a result, our model of confined processes seems related to theirs. 
However, aspects such as the use of SCCS on their part, where processes evolve in synchrony, and 
the focus on value passing and stability on ours, lead to a substantially different satisfaction relation 
of the logics. The aim of their work is also different from ours; they establish a correspondence 
between strong bisimulation and logic satisfaction whereas we focus on developing a compositional 
proof system. Separation logic has also been applied to an imperative concurrent language with 
message passing in |[38l where the main focus is the implementability of message-passing com- 
munication as a copy-less communication over a shared memory model. Although their technical 
development is considerably different from ours, this work can be seen as complementary to ours if 
implementation aspects of our language are considered. 

7.2. Future Work. There is much further work to be done in the area of local reasoning for 
message-passing concurrency. 

With respect to the work presented here, there are a number of design decisions that are worth 
exploring. For instance, at the level of the proof system, a partial correctness interpretation of our 
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sequents (as opposed to total correctness) would probably allow us to design a version of the par- 
allel proof rule, lPar, that is more symmetric. Another avenue worth exploring is that of relaxing 
the interpretation of our logical assertions so as to not limit them to safely-stabilising systems. This 
would simplify the verification of certain formulas, such as any, and would also allow us to have 
models where formulas such as c(v) * blk(c) are satisfiable. At the same time, this satisfaction 
weakening would also entail that our existing assertion interpretation changes to one where systems 
satisfy a formula at some point during their evaluation but may then fail to satisfy it as computation 
progresses. Although it is not yet clear whether this is a desirable property to have from the point 
of view of the application of the logic, it has appealing benefits in terms of the assertion satisfaction 
definition, as it streamlines the satisfaction of core formulas like the separating conjunction with ex- 
isting interpretations. Moreover, we also conjecture that this altered interpretation would eliminate 
the need for the side conditions present in the existing parallel rule, lPar. 

At a more general level, we also seek to widen the class of programs we can treat by intro- 
ducing non-confluent behaviour in a controlled way. We intend to extend our setting to allow for 
more interesting forms of data to be communicated, including say channel names. We also need to 
develop algorithms for inferring the permission-set maps, develop tools to support the proof-system 
reasoning. Finally, and perhaps most importantly, we need to expand our suite of case studies and 
consider larger example proofs. 
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Appendix A. Proofs 

A.l. Processes. 

Lemma A.l (Structural Equivalence and Reductions). 

P=QandP — > P' implies 3Q' . Q — > Q' and P' = Q' 
Proof. By rule induction on P = Q. O 
Corollary A.2 (Structural Equivalence and Reductions). P = Q and P -/-> implies Q -/-> 

A.2. Confined Processes. 

Lemma A.3. S = T implies \S\ = \T\ 

Proof. By Rule induction on S = T 

scNil: \S II rnille | = \S \ \\ \ \nW] @ | = \S \ || nil and \S \ || nil = \S \ by sNil. 

scCom, scAss, scNew, scSwp: By the corresponding structural rules sCom, sAss, sNew, sSwp. 

scExt: By sExt and the fact that c £ fn(S ) implies c £ fn(\S |). □ 

Lemma|332 (Correspondence). S T implies \S \ \T\ or\S\ = \T\ 

Proof. The proof is by rule induction on S — > T. 

cThn, cEls, cCom, cPrc: There is a corresponding reduction rule in the semantics of Figure Q] 
cSpl, cRst, cDsc: Satisfies \S \ = \T\. 
cPar, cRes: Follows by I.H. 

cStr: By rStr and Lemma |A~31 O 
Corollary A.4. |5 1 -h implies S ~h or (3T. S — > T and \S \ = \T\) 

Lemma r3.17l (Properties of s with respect to reductions). 

(1) S 2 T and T — > T and S-f^ err implies 3S'.S — > S' andS' s T 

(2) S 2 T and SV implies T -/-* 

Proof. The first clause is proved by case analysis of T — > T using Lemma [A31 to infer the structure of T, 
then use the definition S a T to determine the structure of S . The second clause is proved by assuming that 
3T' such that T — > T and then use the first clause to show that this leads to a contradiction. O 

Lemma A.5 (Reduction and System Structure). S — > T implies 

(1) S = (newc^^cl^Wlcn.PXWR), T = (new?) ([^^1 II*), Tc e P> |c € jj, $$or, 

(2) S = (newc)({ifbthenP else Q\ p \\R), T = (new c) (jP] p \\r) or T = (newc)[\Q\\\R) or; 

(3) S = (newc) ( K(e)[^i/d 2 ] \\r\ T = (newc) | Pf/M^/dil \\r\ eiivor; 

(4) S = (new?) ([P || ei pW(1 ||4 T = (new?)(rPl p ||r!21,ll*)or; 

(5) S = (new?) (Knew c)P\\\R), T = (new?) ((newc) (\F\ p u{Icm) W r ) or > 

(6) S = (new?)([nir\ p \\R), S = {new^^ni^WR), p * 

Proof. By rule induction on S — > T. □ 
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Proposition 15311 (Safe-Stability and System Structure). 

S y iff S= (newd) ( || » =0 \ Ci !e11 pi \\J =0 r^u.l'i ) 

where 

• {ci,...,c n }n{c'j,...,c4} = 0. 

• A;L Tc ; € p,- and f\J =0 ic j e ^ 

andwhere ||?_ [c,!e;] p anc/ ||9_ Q |~Cy?jc}..P/| denote — [nit]®. 

Proof. Immediate by case analysis of Lemma |A~5l and then the conditions for S — > en - from Figure [2] O 

Lemma l"3. 181 (Partial Confluence). S — > T\ andS — » Ti implies either of the following: 

(1) T, a T 2 or; 

(2) 3Tj. T\ — > 7^ ant/ T 2 — > T$ 

Proof. By case analysis of the possible forms of S using Lemma lA31 then restricting the possibilities using 
properties of well-formed systems. We here overview the two main cases. 

• For S — > T\ we have 

S ={new?>{$cM\J\c l n.P l \ i \\R l ) , T t = (nev/^^Pfffl]^ Pi) , tci e Pl , |ci e m . 

Also for S — > 7^2 we have 

5 =(new?)(rc 2 !ellp 2 lirc2?^2l fc II/?2) , Zi s (new?) ([^4^ P2) , Tq e p 2 , |c 2 e (x 2 . 

We have two sub-cases 
ci # c 2 : The two redexes in S are distinct and, for some system R, we have 

Rx = (new d^)(\c2le^ p J\\c 2 l£P 2 \J\R) and fl 2 = (new<U) (|"ci!eil Pl HleiWJ'iV p) 

from which we can then find a common 7^ that both T\ and r 2 reduce to. 
c\ = c 2 : The conditions that tcj e pi, J,ci e [ij, tc 2 6 P2 and ic 2 e (,12 and the fact that S is well-formed 
ensure that S — > Ti and 5 — > T 2 refer to the same reduction (modulo structural equivalence) 
i.e., pi = P 2, (Xi = \i 2 , e\ = e 2 , P\ = P 2 and Ri = R 2 which implies T\ = T 2 , thus T\ 2 T 2 by 
Proposition l3.16l 

. ForS — >r, we have 5 = (new?) (r^i IIGilp^, Pi), 7i = (new?) (r/*i1 Pl IITGiV Pi) andforS — » T 2 

we have 5 = (new?) (|7> 2 II £>2l P2 ^ 2 P2), T 2 = (new ?) (|\P 2 1 P2 1| T&l^ P2). By the assumption that 5 is 
well-formed, we have the following sub-cases: 
(pi W + (p2 W Then we have different redexes meaning that for some R we have 

Ri = (new4)(rP 2 |ie2WII^) and R2 = (new^)(rPi|ieil Pia „p) , 

which guarantees the existence of a common system 7^3 that T\ and r 2 can reduce to. 
(pi tti = (p2 W u. 2 ): Then we must have the same redexes, i.e., P\ = P 2 , 2i = Q2 and 7?i = R 2 . This 
implies Ti a T 2 . O 
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The following technical Lemmas deal with the restricted non-determinism of confined processes and how it 
can be characterised using the relation a. In particular, Lemma [A~8l is useful because it allows us to correct 
reductions that lead to systems that do not evaluate by instead reducing to systems that are related to them by 
2, which in turn means, by Proposition l3.16l that they contain the same process structure. 

LemmaA.6. S^andS — > T and T & implies 3P,Q,R. S = (newc) (jP\\ gl pW(1 \\r) and 
T = (newc)(lP\\\[Q\\\R) 

Proof. By induction on the number of reductions in S JJ. leading to a safely-stable system i.e., S — >" S'Y for 
some S'. 

n = 1 : By Lemma I3TT81 and SV (i.e., S' -/->) it must be the case that T s S'. By Lemma [TT7l 2 this also 
implies T -/-* and since T Jd it must be the case that T — > err . Now by case analysis of Lemma lA5l the only 
system structure that allows this is when S = (new c)(fP\\ Q~] p ^\\S") and T = (newc) (jP~\ p \\ \Q\ \\S"\ 

n - k + 1 : We have SJJ S — > 5" — > k S'Y. By Lemma [3. 181 we have two sub-cases. The first case 
subsumes the second in some cases, so we here consider the mutually exclusive variants: 
BT'.T — > 7" and S" — > 7": T Jf implies 7" JJ, and by 5" — * 7", 5" — > k S'Y and I.H. we obtain 

S" = (new?)(rP||!2WI|S"') and 7" = (new ^) (r^1 p || TQIn IIS "')■ Now T $ and5 " — »* 5V 
implies T ^ S 1 ". Thus by that fact that 5 — > T — > r' and the uniqueness of linear permissions, 
it must be the case that S = (newc) (['T'llQlpwJI.S'"") and T = (new c) (r^ 1 P II TGl^ II ^ "") for some 
S"" such that S"" — > S'". 
T szS" where $T'.T — > 7" and S" — > 7": Clearly, since r K we have T + S" . Also the fact that 
there is no common system T and 5" can reduce to means that the reductions from S where not 
from separate redexes. By case analysis of Lemma |A. 51 the only possible option for having non- 
deterministic reductions from the same redex is the case where S = (newc) (|\P|| 21 P wp II S'") and 
T = {n&fj^(\P\\\\Q\\\S"'). □ 

Lemma A.7. S^, and S = (newc){\P\\Q\ p \\R^ implies 3|j,i, (12 such that yi\ ttl ^2 = p and 
(newc) ([P^ || IQ\JR)U, 

Proof. By induction on the number of reductions in S JJ leading to a safely-stable system i.e., S — >" S'Y for 
some S'. 

n = l: BycSPL, S = (newc) (r^llfilp \\R\ can reduce to (newc) (|7>] pi || rgl P2 \\R\, for some pi, p 2 , and by 
Lemma [3.181 and 5" we must have 5" s (newc) (|\P"| pi || TQlp, ll^)> and since S' -/-> err , this implies 
3\i u \i 2 such that ^ i±i ^ 2 = P and (new c) (17%, || r<21 w 
n = k + 1 : We have S — > 5' — >* 5"V for some S',S". Lemma lABl gives us two sub-cases: 

S' = (new c*)(rP||<21 p P') where/? — > R': By 5' — > k S"Y and I.H. we obtain 3u.!,u. 2 such that 
\i\ ttl (.12 = p and (newc) (|\Plp, II TGl^ ll^')li which implies that 3u.i, u. 2 such that u,j tt) [,12 = P and 

(newa(rpi„ urei,ji/?)u. 

(new c) (rPIp, || TGlp 2 P): Immediate. □ 

Lemma A.8 (Corrective Reductions). SJJ.anii.S' — > TandT JJ implies 3R such that S — > R and R a 
r ant/ /?JJ, 

Prao/ By Lemma |A6] we know 5 = (new?) ([P||gl pa|i ||5") as well as T = (newc) ( r P"| p || \Q\ \\S'). 
By Lemma |A?71 we know 3ni,^i 2 such that |ij HI (i 2 = p and (newc) (^1^ II [Q\ 2 WS'fH- Since T 2 
(newc) \JP\, \\\Q\ 2 \\S'j this implies that we can correct the permission split and be able to reduce to a 
safely-stable state. □ 
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In order to apply corrective actions to multiple reduction steps, we need to extend Lemma |A~8| to sys- 
tems that are related by a, due to reductions of type (1) of Lemma [3. 181 The next Lemmas deal with this. 
Lemma 13.201 states that there exist matching reductions for systems related by a preserving the evaluation 
property and Lemma [A9l extends this to multiple reductions. This allows us to prove the existence of correc- 
tive reductions over multiple reductions. 

Lemma 13.201 (Evaluation Preservation for a). S *F and SJJ and T — > T implies 
3S ' such that S — > S ' where S ' a T and S ' JJ 

Proof. By S JJ. and Lemma 13.71 we have S -/-> en and by Lemma 13.171 1 we know 3 S i such that S — > 
S i and 5 1 sf, At this point we have two sub-cases: if S i JJ then the result follows immediately. Otherwise, 
if S i H, then Lemma |A~81 states that 352 such that S — > S 2 and S2 - ^i and 5 2-LL- By transitivity we have 
SjaSiar. " " □ 

Lemma A.9 (Evaluation Preservation for 2). S 2 T and 5 JJ. and T — >" T implies 
35' such that S — S' where S' 2 T and S'ii 

Proof. By induction on n, the number of reductions in T — >" T' . 
n — 0: Immediate. 

n = k+ 1: We have P — > 7"' — >* 7". From T — > T" and Lemma l3~20l we obtain 3S' such that S — > 
5" where S' « T and 5"JJ. By I.H. we know S' — >* S" for some 5"' such that S" s 7*' and 5" "JJ. and 
5 — > 5" — > A 5" gives us the required reduction sequence. □ 

Lemma A.10. \S \ = Q and Sii implies 3T such that S — >*s T and TJJ and \T\ — Q. 

Proof. By rule induction on \S \ = Q. O 

Lemma A.ll. \S\ = Q implies 3T. S — >* T orS = T S where \T\ = Q 

Proof. By rule induction on \S \ = Q and then a tedious consideration of all the possible permutations of S 
that may lead to \S\. 

sAss: If |S I = Pi || (P 2 II P-}) then Q = (Pi \\P 2 ) ||P 3 and S can be either of the following: 

S = \P\ 11(7*2 l|P3)l P : By 2 applications of cSpl and then an application of cStr using scAss we obtain 

S (r^ilp, II rP2l P2 ) II rP 3 l P3 where pi w p 2 w p 3 = p and K^ilp, II rftlp,) II I = G- 

S = TPilp, II T(P2 l|P3)l p : By one application of cSpl and one application of cStr using scAss we obtain 

S ^ + (^ilp, lirP2l P2 )lirP3l P , where p 2 W P3 = p and IffPilp, lirftl^lirftlp, I = Q- 
S = rPilpjrC^lpJir/^V ByscAsswe obtain^ = (^ilp, II [P 2 ] Pl ) II T^lp, where K^lp, || rP 2 l P2 )ll 

l*3lp, I = G- 

The symmetric case where |S| = (Pi ||P2)I|P3 and Q - Pi IKP2IIP3) is similar. 
sCom: Similar to sAss case. 

sNil: If |S| — P || nil and Q = P then we have two cases: 

S = rP||nill p : By cSpl, cStr and scNil we obtain S — > + TP1 P and | TP1 P I = P = Q. 

S = \P~\ Pl II Tni'lp,: By cDsc, cStr and scNil we obtain S — > + TP1 P and | TP1 P I = P = Q. 

If |S I = Pand G = Pllnil, then by scNil we have S =S||rnill and |S || rnil~| | = Q. 
sNew: The most difficult case is when S = ["(newc)nill p and Q = nil. By cLcl, cDsc, cStr with scNew we 

obtain S — > + f n ■ Ho an d I r n 'Ho I — G- The other cases are similar. 
sSwp: There are three cases; S = [(new c)(new d)P~\ p , S = (newc) [(new d)P~\ p and S = (newc)(newcf) [Pl p 

and proved similar to the cases above using cLcl, cStr and scSwp. 
sExp: When |S| = P || (newc)g we have three cases: S = rP||(newc)£7| p , S = [~Pl Pl II r(newc)Gl p , and 

S = TPJp, II (new c) TGlp 2 an d the proof follows using the rules cSpl, cLcl, cStr and scExt. The symmetric 

case when |S | = (newc)P|| Q is similar. O 
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Lemma [3.271 (Reduction Correspondence). 

S JJ. and \S | — > Q implies 3R such that S — > + R and \R\ = Q 
Proof. By rule induction on \S | — > Q. We here consider the main cases: 
rCom We have \S \ = cle\\ clx.P and Q = P\ v lx§ where eJJ.v. We have two sub-cases for S : 

S = \c\t\\cl£P\: By SI, 3u. 1; u. 2 such that p, U u. 2 = p and 5 —* [c!*l w || r^.^ — > |>{|W| p 

and | [PF/4] p I = g. 
5 =^11^?^: Similar 
rPar We have \S \ — P\ \\ P2 and Q = P\ \\ P2 because Pi — > P\ . We have two sub-cases for S : 

S = IPi \\P 2 \i By S\i 3m, \i 2 such that m l±) u. 2 = p and ^1 ||P 2 1 P — * [Pi\ t II \Pz\ 2 l Now TPil,, II 
r^V-U. implies fPt]^ and by P, — > P'j and I.H. we know 3R such that {P^ — > + P and \R\ = 
P[. Thus, by cPar, \Pi-\ m || TPzV, — » P|| \Pi\ t and |P || \P 2 \ n \ = Q. 
S = Si \\S 2 where \S i\ = Pi and |S 2 I = Pi'- Similar 
rStr We have \S\ = Pi and Q = P 2 because P, = P[, P\ — > P^, P\ = P 2 . By |S| = Pi and 
Lemma lATOl we know 3P, such that S — >*= Pi and P,li and |P,| = P\. By P'j — > P\ and I.H. 
we know 3R 2 such that Pi — > + s P2 and IP2I = PL and by Pj = P 2 and Lemma [A. 1 II we know 
3P 3 such that R 2 — **= P 3 and |P 3 | = P 2 . This implies" S — >*= Pi — > + = R 2 2 — >*= P 3 , i.e., 5 — > + P 3 
where |P 3 | = g. □ 

Lemma|330| (Correspondence and Termination). |S|-/-» andSllT implies \T\ = \S\ 

Proof. By induction on the number of reductions that lead to a safely-stable system S — >" T 
n = 0: We have S — T which implies \S | = |P| 

n = k+ 1: We have S — > P andPjiP. By 5 — > P and Cor. |A3 we get \S \ = \R\ and thus \R\~h 
I.H. and PUT we get \T\ = \R\ and by transitivity we obtain \T\ = \S |. 



A 3. The Logic. 

Lemma A.12. When S -/-> and T, S |= cp 

• 5 = [c!e] p ||P implies |c E edg((p) oredg((f) is undefined; 

• S = (new Jt) \c7x.P~\ p \\R and c e ct implies fc £ trg((p) ortrg(<p) is undefined. 

Proof. By induction on the structure of cp. O 

Lemma A.13. T, S \= cp, S -/-* and T, T \= \|/, T -/-» ant/ cp _L \|/ implies T, S \\T -/-» 

Proof. Since 5 -/-» and T -/-*, by Lemma lA"31 we know that S \\T — > P for some P can only happen if: 

S = (new d){\c7x > .P\\\S') where c g 1 and J.c e ^ (A.l) 

P = rc!el p II r where |c € p (A.2) 

or vice-versa. We here focus on the case where (1A.U and ( lA.2b have to hold; the dual case is identical. By 
cp ± \y we know that trg(cp), edg(cp), trg(y) and edg(\|/) must all be defined. Thus by dA.U . T, 5 |= cp and 
Lemma |A. 121 we must have tc € trg(cp). Similarly by (IA.2I) . T, T \= \|/ and Lemma |A. 121 we must have 
fc e edg(\|/). This however would contradict cp _L vj; which requires that trg(cp) n edg(\(/) = 0. Thus S \\ T -/-*. 

□ 

Lemma f4.HI (Merging Assertions). T, S |= cp andT, T \= \|/ X P one/ cp ± \(/ implies T, S \\T |= 

cp * l|/ 

Proof. S ± T implies 5 1 1| T is well-resourced. From F, S |= cp, T, P |= \\i and Proposition l4.5l we know that 
S US ' and TOT' where T, S ' [= cp and T, T |= \|/. Lemma lATII we know also that 5 || PJ|5 ' and the result 
follows by satisfaction on Figure [3] O 
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A.4. The Proof System. Proofs for the derived rules from Section l5. II 

The proof for lCut: 

r;b t [<pi] S iy) r;tHv) T {(pi) 

lImp — — ; rm — r lImp 



r; b h {qpi} S {emp * T;b v- {emp * y} r {cp 2 } emp ± \\i emp ± cp 2 

F; b h {cpi * emp} 5 || T {emp * cp 2 } 

frt)S|TW LlMP 

The proof for lSep: 

r ; fth{<pi}s r ; /7h{(p 2 } r { V2 } 

LlMP — : r— — r UMP 



F;Z? h {cpi } S (yi * emp} F; b h {cp 2 * emp} T {\|/ 2 } yi ± y 2 cp 2 _l_emp 

r;fo h {cpi * cp 2 } S \\T *\|/ 2 } 

The proof for lOutD: 

r(c) c P 



lOut 

r; A j? = e| A x = e~2 H {emp} [c!e 2 ] {c^el)} 

x ( fn(fo) U fnOl, et) F; A x = e\ A Jc = e 2 I- {emp} |~c!x| p {c(e* 2 )} L ^ UB 

lInst 

|= b A e"t =e"t A e\ = e 2 T; i> A e"t = e\ A et = e 2 h {emp} [c!et] p {c(e 2 )} 

r;/7h{emp} \c\e[\ \dM LlMP 

The proof for lInD: 

jeep F;Z?h{cp} [/f^HS W 

r ^ r^Vrw II g r ; h {(p * c<g>} II LlN 

r ; b \- {cp * c<2» r (v) lImp 

Lemma A.14. Assume that \ e \ v /x$ is a substitution that non-deterministically substitutes either e or v for x. 
Then we have 

SVIA — » TVI4 andeliv implies S\ e lx\ —> R where R = T^v/^ 
for some non-deterministic substitution r{| e l v /x|} 

Proof. By rule induction on S {] V M — > 7" {| v /jc |} □ 
Lemma A.15. F, r{| v /4! N and e^,v and T -/-* implies F, 71 e /x|) |= cp 

Proof. By induction on the structure of cp O 
Lemma A.16. F, 71 v 7*t N cp anof e{J.v implies F, 71 e /*|} N cp 

Proof. Follows from Lemma lA.14l and Lemma lA.151 O 
Lemma A. 17. r, S |= cp and d £ dom(T) implies F, (newd)S |= cp 
Proof. By induction on the structure of cp. For instance: 

c(e): We know S JJ. [c!e"i] where ej{v, e\)\v and F(c) c p. By cRes and then by cTgh and d t nm(c(e)) U 
nm(F) we deduce 

(new d)S — >*= (new^(rc!ell p ) = (new^( r c!ell p ||rnill ) 

(now </) (rc!«il p || fnille) — > \c\e{] mdM \\(newd)(\m\\) = \c\ei] pK[Md] 

Since d £ dom(r) then by Definition 14.1 1 2. i.e., the environment is suitably closed, it follows that T(c) c 
(p \ [id, fd}) and hence F, rc!ei"| pMKTd , \= c(e) and by Proposition |4~71 that T, (new OS \= c(e). □ 
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Definition A.18 (Permission Restriction). 

S \(x d = jS, \ii||S 2 \|* if S =5,1152 

(newc)(r\(n\{J,c,Tc})) if S = (newc)r 
Proposition A.19. S \\i -H err implies S -f-> err 

Lemma A.20. S \ p -f-* implies 3T. S — >* T where (T \ p) = (S \ p) 
Proof. By Proposition ^. 14l we know, 

S\p = (new4(ll" =o rQ!e11 P) 117 u <>V' ; | , ) where fa, . . . ,c„} n {c'„ . . . = (A.3) 
By system structural equivalence, =, the only sub-systems in S that are abstracted away from S \ p in 
(newt/) ^|| " =0 [c,!e/] p ||^_ j are those of the form Tnillp where p c (x; the operation made these 

systems equivalent to [nW]^ which could then be eliminated through scNil. In S , sub-systems of the form 
[~nil~|p can still be eliminated through cDsc and then scNil (as before), leaving us with the same array of mis- 
matching confined output and input processes found in S \ \i, less the restricted permissions. O 

Lemma A.21. S \\i — > T \ (x implies S — > T 

Proof. By rule induction on S \ (x — > T \ |x. O 
Lemma A.22. (5 \ \i)HT implies S where R \ \i = T 

Proof. Follows from Lemma |A. 211 Lemma lA.20l and Proposition [AT9] O 
Lemma A.23. T, (S \ \i) \= qp implies F, S \= cp 

Proof. By induction on the structure of cp using Lemma |A. 221 O 
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